Headline
CVE-2023-1116: [Task] Optimized blacklist email input (#14467) · pimcore/pimcore@f6d322e
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.
@@ -123,9 +123,15 @@ pimcore.settings.email.blacklist = Class.create({ icon:"/bundles/pimcoreadmin/img/flat-color-icons/delete.svg", handler:function (grid, rowIndex) { let data = grid.getStore().getAt(rowIndex); pimcore.helpers.deleteConfirm(t(‘email_blacklist’), data.data.address, function () { grid.getStore().removeAt(rowIndex); }.bind(this)); const sanitizedEmail = pimcore.helpers.sanitizeEmail(data.data.address);
pimcore.helpers.deleteConfirm( t(‘email_blacklist’), sanitizedEmail, function () { grid.getStore().removeAt(rowIndex); }.bind(this) ); }.bind(this) } ] @@ -185,8 +191,10 @@ pimcore.settings.email.blacklist = Class.create({ onAdd:function (btn, ev) { Ext.MessageBox.prompt("", t(“email_address”), function (button, value) { if(button == “ok”) { const sanitizedEmail = pimcore.helpers.sanitizeEmail(value);
var u = { "address": value "address": sanitizedEmail };
this.grid.store.insert(0, u);
Related news
### Impact The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user's session. ### Patches Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/pull/14467.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14467.patch manually. ### References https://huntr.dev/bounties/3245ff99-9adf-4db9-af94-f995747e09d1/