Headline
CVE-2023-1702: Security fix in Predefined section (#14721) · pimcore/pimcore@2b99773
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.
@@ -215,7 +215,9 @@ pimcore.settings.metadata.predefined = Class.create({
tooltip: t(‘delete’),
handler: function (grid, rowIndex) {
let data = grid.getStore().getAt(rowIndex);
pimcore.helpers.deleteConfirm(t(‘predefined_metadata’), data.data.name, function () {
pimcore.helpers.deleteConfirm(t(‘predefined_metadata’),
Ext.util.Format.htmlEncode(data.data.name),
function () {
grid.getStore().removeAt(rowIndex);
}.bind(this));
}.bind(this)
Related news
### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.20 or apply this patch manually https://github.com/pimcore/pimcore/pull/14721.patch ### Workarounds Apply patch manually https://github.com/pimcore/pimcore/pull/14721.patch ### References https://huntr.dev/bounties/d8a47f29-3297-4fce-b534-e1d95a2b3e19
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.