Skip to content

RCE vulnerability in Pimcore/Mail & Dynamic Text Layout

Moderate
dvesh3 published GHSA-5qxq-vgmm-q39m Oct 27, 2022

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.9

Patched versions

10.5.9

Description

Impact

The user controlled twig templates rendering in Pimcore/Mail & ClassDefinition\Layout\Text is vulnerable to server-side template Injection RCE.

Patches

Update to version 10.5.9 or apply this patch manually https://github.com/pimcore/pimcore/pull/13347.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/13347.patch manually.

References

Credits: @nth347 from Viettel Cyber Security

Severity

Moderate

CVE ID

CVE-2022-39365

Weaknesses

Credits