Pimcore SQL Injection Vulnerability in DataObject Composite Index Handling

A blind-based SQL injection vulnerability has been identified in Pimcore version 12.3.3. This issue allows authenticated administrative users who can import or save DataObject class definitions to inject attacker-controlled composite index metadata. The injected metadata is not properly validated and is concatenated into SQL statements executed via Doctrine DBAL, leading to unintended SQL execution in the backend. The vulnerability arises because the application accepts composite index data from imported JSON without strict validation, allowing for manipulation of SQL commands that alter database table structures.

Impact

Exploitation of this vulnerability allows privileged users to execute arbitrary SQL commands that modify the schema of Pimcore object tables. This could lead to unauthorized changes in the database structure, causing disruptions in data management and integrity for the affected objects.

Reproduction

To reproduce this vulnerability, an authenticated administrative user must import or save a DataObject class definition that includes a crafted composite index payload. The injection is most effective through the 'compositeIndices.index_columns' field, which is added directly to the SQL 'ALTER TABLE' command without any validation or escaping. Once the modified class definition is saved, the backend will execute the injected SQL, resulting in an altered database table.