CVE-2026-23493
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pimcore | pimcore | to 11.5.14 (inc) |
| pimcore | pimcore | to 12.3.1 (inc) |
| pimcore | pimcore | to 11.5.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Pimcore involves the improper logging of sensitive data such as POST parameters, cookies, and server environment variables in the HTTP error log. Specifically, the http_error_log file stored contents of PHP superglobals $_COOKIE and $_SERVER, exposing sensitive information like database passwords and session cookie data through the Pimcore backend interface. The issue was caused by code that logged these sensitive variables unnecessarily. The fix removes the logging and display of these sensitive data fields from the error logs, preventing potential exposure of confidential information. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information such as database passwords and session cookies by anyone who can access the Pimcore backend error logs. Since the logs contain sensitive POST data, cookies, and server variables, an attacker could exploit this to compromise confidentiality, potentially leading to data breaches or unauthorized system access. The vulnerability can be exploited remotely without authentication or user interaction, making it a high-risk issue. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the Pimcore backend for HTTP error log entries that contain sensitive data such as $_COOKIE and $_SERVER variables. Specifically, you can access the Pimcore backend, navigate to 'Search Engine Optimization' then 'HTTP Errors', and view the details of logged error entries to see if sensitive data is present. Additionally, inspecting the database table `http_error_log` for columns `parametersPost`, `cookies`, and `serverVars` and their contents can help detect if sensitive data has been logged. There are no specific command-line commands provided in the resources, but querying the database for these columns or reviewing the backend error log UI are the suggested methods. [3, 1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Pimcore to version 12.3.1 or 11.5.14 or later, where the vulnerability is fixed. The fix involves removing the logging of sensitive data ($_POST, $_COOKIE, $_SERVER) from the HTTP error logs. Additionally, running the provided optional database migration script to remove previously logged sensitive data from the `http_error_log` table is recommended. This update disables storage and display of sensitive information in error logs, preventing exposure. Applying the official security update and ensuring no legacy logging of sensitive data remains are the key mitigation actions. [1, 2, 4, 5]