Headline
CVE-2023-4145: Fix Xss in the segment name (#490) · pimcore/customer-data-framework@72f45dd
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.
Expand Up
@@ -19,6 +19,7 @@
use CustomerManagementFrameworkBundle\Model\CustomerSegmentInterface;
use Pimcore\Model\DataObject\ClassDefinition;
use Pimcore\Model\DataObject\ClassDefinition\Data;
use Pimcore\Security\SecurityHelper;
use Symfony\Contracts\Translation\TranslatorInterface;
class DefaultViewFormatter implements ViewFormatterInterface
Expand Down Expand Up
@@ -176,7 +177,7 @@ public function getLocale()
*/
protected function formatSegmentValue(CustomerSegmentInterface $segment)
{
return sprintf('<span class="label label-default">%s</span>’, $segment->getName());
return sprintf('<span class="label label-default">%s</span>’, SecurityHelper::convertHtmlSpecialChars($segment->getName()));
}
protected function getLanguageFromLocale($locale)
Expand Down
Related news
### Impact As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers. ### Patches Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch ### Workarounds Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually. ### References https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/