CVE-2024-23646: 
PHP vulnerability analysis and mitigation

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore that allows users to create zip files from available files on the site. In versions prior to 1.3.2, the parameter 'selectedIds' in the downloadAsZipAddFilesAction method was susceptible to SQL Injection. This vulnerability was assigned CVE-2024-23646 and was discovered on January 24, 2024 (GitHub Advisory).

The vulnerability exists because while downloadAsZipJobsAction properly escapes parameters, downloadAsZipAddFilesAction did not implement proper parameter escaping. The issue allows SQL injection through the 'selectedIds' parameter when creating zip files. The vulnerability was fixed by adding proper parameter quoting using $db->quote() for each selected ID in the downloadAsZipAddFilesAction method (GitHub Commit).

Any backend user with basic permissions can execute arbitrary SQL statements through this vulnerability. This allows attackers to potentially alter any data in the database or escalate their privileges to admin level (GitHub Advisory).

The vulnerability has been patched in version 1.3.2 of the Admin Classic Bundle. Users should upgrade to this version or later to receive the fix. The patch implements proper SQL parameter quoting for the selectedIds parameter (GitHub Release).