GHSA-6vf6-g3pr-j83h: pimcore is vulnerable to cross-site scripting via "title field " in data objects

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2023-0323

pimcore is vulnerable to cross-site scripting via "title field " in data objects

Moderate severity GitHub Reviewed Published Jan 20, 2023 in pimcore/pimcore • Updated Jan 20, 2023

Vulnerability details Dependabot alerts 0

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.14

Patched versions

10.5.14

Description

Impact

The vulnerability is capable of resulting in stolen user cookies.

Proof of Concept

Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=

Go to setting --> data objects --> classes --> events

Click media under genaral settings

Add payload in title field.

Go to data objects module and open events, xss will trigger

// PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">

Patches

Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.

References

https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/

References

• GHSA-6vf6-g3pr-j83h
• https://nvd.nist.gov/vuln/detail/CVE-2023-0323
• https://github.com/pimcore/pimcore/pull/13916.patch
• pimcore/pimcore@746fac1
• https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343

dvesh3 published the maintainer security advisory

Jan 16, 2023

Severity

Moderate

Weaknesses

CWE-79

CVE ID

CVE-2023-0323

GHSA ID

GHSA-6vf6-g3pr-j83h

Source code

pimcore/pimcore

Checking history

See something to contribute? Suggest improvements for this vulnerability.