CVE-2024-29197

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53	Patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445	Exploit Third Party Advisory
https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53	Patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pimcore:pimcore::::::::
	cpe:2.3:a:pimcore:pimcore::::::::

History

05 Nov 2025, 22:18

Type	Values Removed	Values Added
References	~~() https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 -~~	() https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 - Patch
References	~~() https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 -~~	() https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 - Exploit, Third Party Advisory
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:pimcore:pimcore::::::::
First Time		Pimcore pimcore Pimcore

21 Nov 2024, 09:07

Type	Values Removed	Values Added
References	~~() https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 -~~	() https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 -
References	~~() https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 -~~	() https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 -
Summary		(es) Pimcore es una plataforma de gestión de experiencias y datos de código abierto. Cualquier llamada con el argumento de consulta `?pimcore_preview=true` permite ver sitios no publicados. En versiones anteriores de Pimcore, la información de la sesión se propagaba a las vistas previas, por lo que solo un usuario que había iniciado sesión podía abrir una vista previa. Esto ya no se aplica. Las vistas previas están abiertas a cualquier usuario y con sólo un indicio de un enlace restringido se puede obtener acceso a posible información confidencial o inédita. Esta vulnerabilidad se solucionó en 11.2.2 y 11.1.6.1.

26 Mar 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-26 15:15

Updated : 2025-11-05 22:18

NVD link : CVE-2024-29197

Mitre link : CVE-2024-29197

CVE.ORG link : CVE-2024-29197

JSON object : View

Products Affected

pimcore

pimcore

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

6.5 /10