CVE-2023-47637: 
PHP vulnerability analysis and mitigation

Pimcore, an Open Source Data & Experience Management Platform, was found to contain a SQL injection vulnerability (CVE-2023-47637) in versions prior to 11.1.1. The vulnerability was discovered in the /admin/object/grid-proxy endpoint, which improperly handles input validation in the Multiselect implementation of getFilterCondition(). This security flaw was disclosed on November 15, 2023, affecting all Pimcore installations before version 11.1.1 (GitHub Advisory).

The vulnerability exists in the /admin/object/grid-proxy endpoint which calls getFilterCondition() on fields of classes to be filtered for. The implementation in Multiselect does not properly normalize, escape, or validate the passed value, leading to SQL injection. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (NVD).

The vulnerability allows any backend user with basic permissions to execute arbitrary SQL statements. This can result in unauthorized data modification, data access, and privilege escalation to admin level. An attacker could potentially alter any data in the database or elevate their privileges, compromising the entire system's security (GitHub Advisory, Fortiguard).

The vulnerability has been patched in Pimcore version 11.1.1. Users are strongly advised to upgrade to this version. The fix involves properly escaping filter values in the affected code. A patch is available in the commit d164d99c90f098d0ccd6b72929c48b727e2953a0 for those unable to upgrade immediately (GitHub Commit).