Headline
CVE-2023-1703: [Task] Optimized composite index key (#14636) · pimcore/pimcore@765832f
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.
@@ -455,6 +455,14 @@ public function saveAction(Request $request)
$class->rename($values[‘name’]);
}
if ($values[‘compositeIndices’]) {
foreach ($values[‘compositeIndices’] as $index => $compositeIndex) {
if ($compositeIndex[‘index_key’] !== ($sanitizedKey = preg_replace('/[^a-za-z0-9_\-+]/’, '’, $compositeIndex[‘index_key’]))) {
$values[‘compositeIndices’][$index][‘index_key’] = $sanitizedKey;
}
}
}
unset($values[‘creationDate’]);
unset($values[‘userOwner’]);
unset($values[‘layoutDefinitions’]);
Related news
### Impact Pimcore is vulnerable to Cross site scripting vulnerability in classes module. ### Patches Update to version 10.5.20. ### Workarounds Apply the patch https://github.com/pimcore/pimcore/commit/765832f0dc5f6cfb296a82e089b701066f27bcef.patch manually.
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.20.