CVE-2023-47636: 
PHP vulnerability analysis and mitigation

CVE-2023-47636 affects the Pimcore Admin Classic Bundle, which provides a Backend UI for Pimcore. The vulnerability was disclosed on November 15, 2023, and involves a Full Path Disclosure (FPD) vulnerability that enables attackers to view the path to webroot/file. The issue was patched in version 1.2.1 (GitHub Advisory).

The vulnerability occurs when the fopen() function lacks proper error handling for non-existent files on the server. When a file doesn't exist, the server response exposes the full path in the format 'fopen(/var/www/html/var/tmp/export-{unique id}.csv)'. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The weakness is categorized as CWE-209: Generation of Error Message Containing Sensitive Information (NVD).

The vulnerability allows attackers to see the complete server path to webroot/files. This information disclosure could be particularly dangerous when combined with other vulnerabilities, such as SQL injection using load_file() queries, as it provides attackers with the necessary full path information to view page sources (GitHub Advisory).

The vulnerability has been patched in version 1.2.1 of the Pimcore Admin Classic Bundle. Users are advised to upgrade to this version or later. The fix was implemented in commit 10d178ef771, which addresses the error handling issue. There are no known workarounds for this vulnerability other than upgrading (GitHub Advisory).