Headline
CVE-2023-2340: [Security] Stored cross site scripting vulnerability in Save grid opt… · pimcore/pimcore@aa38319
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
Expand Up
@@ -346,14 +346,14 @@ public function doGetGridColumnConfig(Request $request, Config $config, $isDelet
$gridConfigId = $savedGridConfig->getId();
$gridConfig = $savedGridConfig->getConfig();
$gridConfig = json_decode($gridConfig, true);
$gridConfigName = $savedGridConfig->getName();
$gridConfigName = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getName());
$owner = $savedGridConfig->getOwnerId();
$ownerObject = User::getById($owner);
if ($ownerObject instanceof User) {
$owner = $ownerObject->getName();
}
$modificationDate = $savedGridConfig->getModificationDate();
$gridConfigDescription = $savedGridConfig->getDescription();
$gridConfigDescription = SecurityHelper::convertHtmlSpecialChars($savedGridConfig->getDescription());
$sharedGlobally = $savedGridConfig->isShareGlobally();
$setAsFavourite = $savedGridConfig->isSetAsFavourite();
Expand Down Expand Up
@@ -951,8 +951,8 @@ public function gridSaveColumnConfigAction(Request $request)
}
if ($metadata) {
$gridConfig->setName($metadata[‘gridConfigName’]);
$gridConfig->setDescription($metadata[‘gridConfigDescription’]);
$gridConfig->setName(SecurityHelper::convertHtmlSpecialChars($metadata[‘gridConfigName’]));
$gridConfig->setDescription(SecurityHelper::convertHtmlSpecialChars($metadata[‘gridConfigDescription’]));
$gridConfig->setShareGlobally($metadata[‘shareGlobally’] && $this->getAdminUser()->isAdmin());
$gridConfig->setSetAsFavourite($metadata[‘setAsFavourite’] && $this->getAdminUser()->isAdmin());
}
Expand All
@@ -968,8 +968,8 @@ public function gridSaveColumnConfigAction(Request $request)
$settings = $this->getShareSettings($gridConfig->getId());
$settings[‘gridConfigId’] = (int)$gridConfig->getId();
$settings[‘gridConfigName’] = $gridConfig->getName();
$settings[‘gridConfigDescription’] = $gridConfig->getDescription();
$settings[‘gridConfigName’] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getName());
$settings[‘gridConfigDescription’] = SecurityHelper::convertHtmlSpecialChars($gridConfig->getDescription());
$settings[‘shareGlobally’] = $gridConfig->isShareGlobally();
$settings[‘setAsFavourite’] = $gridConfig->isSetAsFavourite();
$settings[‘isShared’] = $gridConfig->getOwnerId() != $this->getAdminUser()->getId() && !$this->getAdminUser()->isAdmin();
Expand Down
Related news
### Impact The attacker is capable to stolen the user session cookie. it will leads to complete account takeover. ### Patches Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e.patch manually. ### References https://huntr.dev/bounties/964762b0-b4fe-441c-81e1-0ebdbbf80f3b/