GHSA-jfxw-6c5v-c42f: Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews

Skip to content

Sign up

CVE-2023-46722

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog

• For

  • Enterprise
  • Teams
  • Startups
  • Education

  By Solution

  • CI/CD & Automation
  • DevOps
  • DevSecOps

  Resources

  • Learning Pathways
  • White papers, Ebooks, Webinars
  • Customer Stories
  • Partners

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections

• Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Saved searches****Use saved searches to filter your results more quickly

Sign in

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-46722

Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews

Moderate severity GitHub Reviewed Published Oct 31, 2023 in pimcore/admin-ui-classic-bundle • Updated Nov 1, 2023

Vulnerability details Dependabot alerts 0

Package

composer pimcore/admin-ui-classic-bundle (Composer)

Affected versions

< 1.2.0

Patched versions

1.2.0

Description

Impact

This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie or redirect users to other malicious sites.

Proof of Concept
Step 1. Go to /admin and login.
Step 2. In Documents, go to home -> click on Sample Content -> click Document folder
Step 3. Upload file PDF content XSS payload

Patches

Apply patches
https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch
https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch

Workarounds

Update to version 1.2.0 or apply patches manually
https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch
https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch

References

• GHSA-jfxw-6c5v-c42f
• https://nvd.nist.gov/vuln/detail/CVE-2023-46722
• pimcore/admin-ui-classic-bundle@19fda2e
• pimcore/pimcore@7573756

dvesh3 published to pimcore/admin-ui-classic-bundle

Oct 31, 2023

Published to the GitHub Advisory Database

Nov 1, 2023

Reviewed

Nov 1, 2023

Last updated

Nov 1, 2023

Severity

Moderate

6.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CWE-79

CVE ID

CVE-2023-46722

GHSA ID

GHSA-jfxw-6c5v-c42f

Source code

pimcore/admin-ui-classic-bundle

Credits

• tht1997 Reporter

Checking history

See something to contribute? Suggest improvements for this vulnerability.