Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46722: Implement Asset Sanitizer Queue & Preview Check (#16053) · pimcore/pimcore@7573756

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.

CVE
Open in Source
#xss#vulnerability#git#php#pdf#auth

Commit

Permalink

Browse files

Browse the repository at this point in the history

Implement Asset Sanitizer Queue & Preview Check (#16053)

* Improve: add sanitizing pdf

* Improve: add sanitizing pdf

* Review changes - use scan instead of sanitizing

* Review changes - generate a version after scanning

* Review changes

* Update doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md

* Apply suggestions from code review

Co-authored-by: Jacob Dreesen [email protected]

* Update models/Asset/Document.php

Co-authored-by: Jacob Dreesen [email protected]

* Review changes

* Update doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md

Co-authored-by: aryaantony92 [email protected]

Co-authored-by: Divesh Pahuja [email protected] Co-authored-by: Jacob Dreesen [email protected] Co-authored-by: aryaantony92 [email protected]

  • Loading branch information

Related news

GHSA-jfxw-6c5v-c42f: Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Proof of Concept Step 1. Go to /admin and login. Step 2. In Documents, go to home -> click on Sample Content -> click Document folder Step 3. Upload file PDF content XSS payload ### Patches Apply patches https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch ### Workarounds Update to version 1.2.0 or apply patches manually https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE