CVE-2021-23405

HIGH8.8EPSS 0.03%

SQL injection in pimcore/pimcore

Published: 7/13/2021Modified: 3/13/2026

Description

This affects the package pimcore/pimcore before 10.0.7. This issue exists due to the absence of check on the storeId parameter in the method collectionsActionGet and groupsActionGet method within the ClassificationstoreController class.

Affected packages (1)

Packagist/pimcore/pimcorefrom 0, < 10.0.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23405
WEBhttps://github.com/pimcore/pimcore/pull/9572
WEBhttps://snyk.io/vuln/SNYK-PHP-PIMCOREPIMCORE-1316297