{"id":"CVE-2024-29197","summary":"Pimcore Preview Documents are not restricted to logged in users anymore","details":"Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1.\n","aliases":["GHSA-5737-rqv4-v445"],"modified":"2026-05-12T04:13:45.164813Z","published":"2024-03-26T15:10:41.792Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29197.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-200"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/29xxx/CVE-2024-29197.json"},{"type":"ADVISORY","url":"https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-29197"},{"type":"FIX","url":"https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pimcore/pimcore","events":[{"introduced":"715848ffd38ddc2cdfc442eefcc749603a52bc51"},{"fixed":"71e2ff092ad5d052f67fc9b8afcdb79d95691ebb"},{"fixed":"3ae43fb1065f9eb62ad2f542b883858d36d57e53"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"extracted_events":[{"introduced":"11.2.0"},{"fixed":"11.2.2"}],"cpe":"cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*"}}],"versions":["v11.2.0","v11.2.1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-29197.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}