[GHSA-vxg3-v4p6-f3fp] Pimcore vulnerable to SQL injection via unsanitized filter value in Dependency Dao RLIKE clause

[herbertroth]

Updates

• Affected products

Comments
The GitHub Advisory Database entry is missing the patched version for the 11.x branch. The repository advisory for pimcore/pimcore lists patched versions as 11.5.15 and 12.3.3, while the global advisory currently lists only 12.3.3. Please sync the reviewed advisory to include 11.5.15 as a patched version as well.

[github]

Hi there @astapc! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[Copilot]

Pull request overview

Updates the reviewed GitHub Advisory Database entry for GHSA-vxg3-v4p6-f3fp (Pimcore SQL injection) to reflect correct patched versions, aligning with the upstream pimcore/pimcore advisory.

Changes:

• Updates advisory metadata timestamp.
• Attempts to add the missing patched version for the 11.x branch.
• Adds an affected[].database_specific.last_known_affected_version_range entry.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The fixed event value is not a valid single version string ("12.3.3 11.5.15" contains two versions). This will likely fail schema/ingestion validation and also misrepresents the 12.x range. Keep the 12.x range as introduced: 12.0.0 -> fixed: 12.3.3, and add fixed: 11.5.15 to the separate 11.x affected range (instead of concatenating versions here).