{"id":"CVE-2018-14057","details":"Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the X-pimcore-csrf-token anti-CSRF token only in the \"Settings \u003e Users / Roles\" function.","aliases":["GHSA-gmff-vcv6-mmfr"],"modified":"2026-03-15T14:29:31.655814Z","published":"2018-08-17T18:29:00.477Z","references":[{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/148954/Pimcore-5.2.3-CSRF-Cross-Site-Scripting-SQL-Injection.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2018/Aug/13"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/45208/"},{"type":"EVIDENCE","url":"https://www.sec-consult.com/en/blog/advisories/sql-injection-xss-csrf-vulnerabilities-in-pimcore-software/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pimcore/pimcore","events":[{"introduced":"0"},{"fixed":"6642d20155a5166ab523641a9fd70a2da99e73f4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.3.0"}]}}],"versions":["2.2.0","2.2.1","2.2.2","2.3.0","3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.1.0","3.1.1","4.0.0","4.0.1","4.1.0","4.1.1","4.1.2","4.1.3","4.2.0","4.3.0","4.3.1","4.4.0","4.4.1","4.4.2","4.4.3","4.5.0","v5.0.0","v5.0.0-RC","v5.0.1","v5.0.2","v5.0.3","v5.0.4","v5.1.0","v5.1.0-alpha","v5.1.1","v5.1.2","v5.1.3","v5.2.0","v5.2.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14057.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}