CSRF at pimcore/pimcore

 

 

CSRF at pimcore/pimcore - CVE-2018-14058

Overview

Multiple functions in the application are not protected by the existing anti-CSRF token, which allows an attacker to perform a cross-site request forgery attack to at least add, update or delete entries, among other actions.

Severity

Medium

Remediation

Update to "pimcore/pimcore": "v5.3.0"

Please note that:

The vendor has published a new release (version 5.3.0) which fixes most of the identified issues, but not the XSS issues that affect administrative functions:

Reference

https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software/

Ready to be protected?

14 days trial , No credit card upfront , Risk free