Pimcore
Moderate fix2 remedies
cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*
Moderate fix2 remedies
- <= 12.3
- <= 11.5.13
Pimcore Cookie and Server Variable Logging Vulnerability Allowing Sensitive Data Exposure
Vulnerability
Patched
A vulnerability in Pimcore's logging mechanism prior to versions 12.3.1 and 11.5.14 allows sensitive information, including database passwords and session cookie data, to be logged in the 'http_error_log' file. This data can be accessed through the Pimcore backend. The issue arises because the logging function improperly includes POST parameters, cookies, and server variables, which can then be retrieved by users via the 'HTTP Errors' section under 'Search Engine Optimization' in the backend.
Impact
Exploitation of this vulnerability could lead to unauthorized access to sensitive environment variables and cookie information, including database passwords, through the Pimcore backend.
Reproduction
To reproduce this vulnerability, navigate to the 'HTTP Errors' section in the Pimcore backend. Double-click on an entry to view its details, where exposed sensitive data can be found.
Remediation
Users can upgrade to Pimcore versions 12.3.1 or 11.5.14 to address this vulnerability.
Added: Jan 15, 2026, 5:20 PM
Updated: Jan 15, 2026, 7:31 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
2.5exploitability
9.7remediation
7.7relevance
2.1threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.