Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-6fvf-x8c6-2f6j: Cross-site Scripting (XSS) in DataObject Any Getter grid operator

Impact

Stored cross site scripting vulnerability in operator any getter in dataobject grid configuration.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480.patch manually.

References

https://huntr.dev/bounties/bb1537a5-fe7b-4c77-a582-10a82435fbc2/

ghsa
Open in Source
#xss#vulnerability#git

Skip to content

Sign up

CVE-2023-2339

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

Explore

*   All features
*   Documentation
*   GitHub Skills
*   Blog

  • For

    • Enterprise
    • Teams
    • Startups
    • Education

    By Solution

    • CI/CD & Automation
    • DevOps
    • DevSecOps

    Case Studies

    • Customer Stories
    • Resources

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

Repositories

*   Topics
*   Trending
*   Collections

  • Pricing

  • Search All GitHub

  • No suggested jump to results

  • Search All GitHub

  • Search All GitHub

  • Search All GitHub

Sign in

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-2339

Cross-site Scripting (XSS) in DataObject Any Getter grid operator

Moderate severity GitHub Reviewed Published Apr 27, 2023 in pimcore/pimcore

Vulnerability details Dependabot alerts 0

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.21

Patched versions

10.5.21

Description

Impact

Stored cross site scripting vulnerability in operator any getter in dataobject grid configuration.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480.patch manually.

References

https://huntr.dev/bounties/bb1537a5-fe7b-4c77-a582-10a82435fbc2/

References

  • GHSA-6fvf-x8c6-2f6j
  • https://nvd.nist.gov/vuln/detail/CVE-2023-2339
  • pimcore/pimcore@6946f8a
  • https://huntr.dev/bounties/bb1537a5-fe7b-4c77-a582-10a82435fbc2

dvesh3 published to pimcore/pimcore

Apr 27, 2023

Published to the GitHub Advisory Database

Apr 27, 2023

Reviewed

Apr 27, 2023

Severity

Moderate

6.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CWE-79

CVE ID

CVE-2023-2339

GHSA ID

GHSA-6fvf-x8c6-2f6j

Source code

pimcore/pimcore

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

CVE-2023-2339

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

ghsa: Latest News

GHSA-95m2-chm4-mq7m: PHP-Textile has persistent XSS vulnerability in image link handling
ghsa