CVE-2025-27617
Published: 11 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-27617 is a SQL injection vulnerability (CWE-89) affecting Pimcore, an open source data and experience management platform. The issue exists prior to version 11.5.4 in components related to data object class definitions, specifically the RelationFilterConditionParser and Multiselect classes, where authenticated users can craft a malicious filter string to inject SQL payloads. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By submitting a specially crafted filter string, they can execute arbitrary SQL queries, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service within the application's database.
The Pimcore security advisory (GHSA-qjpx-5m2p-5pgh) and associated fix in commit 19a8520895484e68fd254773e32476565d91deea confirm that upgrading to version 11.5.4 resolves the issue by addressing the filter parsing logic in the affected files. Security practitioners should prioritize patching Pimcore instances to this version and review access controls for authenticated users interacting with data object filters.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in Pimcore web app enables T1190 exploitation of public-facing application; arbitrary SQL directly facilitates T1213.006 database data exfiltration and T1565.001 stored data manipulation.