+ "details": "The filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameterized queries.\n\nAffected code in models/Dependency/Dao.php:\n- getFilterRequiresByPath() lines 90, 95, 100\n- getFilterRequiredByPath() lines 148, 153, 158\n\nAll 6 locations use direct string concatenation like:\n\n \"AND LOWER(CONCAT(o.path, o.key)) RLIKE '\".$value.\"'\"\n\nNote that $orderBy and $orderDirection in the same methods (lines 75-81) ARE properly whitelist-validated, but $value has zero sanitization.\n\nEntry points (pimcore/admin-ui-classic-bundle ElementController.php):\n- GET /admin/element/get-requires-dependencies (line 654)\n- GET /admin/element/get-required-by-dependencies (line 714)\n\nThe controller JSON-decodes the filter query param and passes $filter['value'] straight to the Dao without any escaping.\n\nPoC (time-based blind):\n\n GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{\"type\":\"string\",\"value\":\"x' OR SLEEP(5)#\"}]\n\nIf vulnerable, the response is delayed by ~15 seconds (SLEEP runs 3 times, once per UNION arm in the inner subquery).\n\nPoC (error-based extraction):\n\n GET /admin/element/get-requires-dependencies?id=1&elementType=document&filter=[{\"type\":\"string\",\"value\":\"x' OR extractvalue(1,concat(0x7e,(SELECT version())))#\"}]\n\nReturns the MySQL version string in the error response.\n\nRequires admin authentication. An attacker with admin panel access can extract the full database including password hashes of other admin users.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments