Headline
CVE-2023-2614: Fix name field in custom reports (#15007) · pimcore/pimcore@c36ef54
Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.
Expand Up
@@ -76,6 +76,8 @@ public function addAction(Request $request)
$success = false;
$this->isValidConfigName($request->get(‘name’));
$report = CustomReport\Config::getByName($request->get(‘name’));
if (!$report) {
Expand Down Expand Up
@@ -129,6 +131,7 @@ public function cloneAction(Request $request)
$this->checkPermission(‘reports_config’);
$newName = $request->get(‘newName’);
$this->isValidConfigName($newName);
$report = CustomReport\Config::getByName($newName);
if ($report) {
throw new \Exception(‘report already exists’);
Expand Down Expand Up
@@ -187,7 +190,7 @@ public function getAction(Request $request)
public function updateAction(Request $request)
{
$this->checkPermission(‘reports_config’);
$this->isValidConfigName($request->get(‘name’));
$report = CustomReport\Config::getByName($request->get(‘name’));
if (!$report) {
throw $this->createNotFoundException();
Expand Down Expand Up
@@ -519,4 +522,13 @@ public function downloadCsvAction(Request $request)
throw new FileNotFoundException(“File \"$exportFile\” not found!");
}
/**
* @throws \Exception
*/
public function isValidConfigName(string $configName) {
if(!preg_match('/^[a-zA-Z0-9_\-]+$/’, $configName)) {
throw new \Exception(‘The customer report name is invalid’);
}
}
}
Related news
### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7.patch ### References https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6/