Headline
GHSA-96hp-38wx-j3wc: Pimcore vulnerable to Cross Site Scripting in Email Blacklist
Impact
The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user’s session.
Patches
Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/pull/14467.patch
Workarounds
Apply https://github.com/pimcore/pimcore/pull/14467.patch manually.
References
https://huntr.dev/bounties/3245ff99-9adf-4db9-af94-f995747e09d1/
Pimcore vulnerable to Cross Site Scripting in Email Blacklist
Moderate severity GitHub Reviewed Published Mar 1, 2023 in pimcore/pimcore • Updated Mar 1, 2023
Related news
CVE-2023-1116: [Task] Optimized blacklist email input (#14467) · pimcore/pimcore@f6d322e
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.18.