Headline
CVE-2023-2616: [Security] Fix xss in static routes panel (#14947) · pimcore/pimcore@07a2c95
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
Permalink
Browse files
Browse the repository at this point in the history
[Security] Fix xss in static routes panel (#14947)
* added new helper function to htmlEncode textFields, fixed xss issue in static routes panel
* added `htmlspecialchars` to model
* fixed double encode issue
* fixed double encode problem in BE
* changed type of `htmlspecialchars`, added `htmlspecialchars` to `setMethods`
* improved `htmlSpecialChars`
* changed SecurityHelper method name to `convertHtmlSpecialChars`
* added htmlEncode to `deleteConfirm` msgbox
- Loading branch information
Related news
### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### References https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801/
### Impact This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-002-user-settings-are-accessible-on-the-front-end-for-the-anonymous-user