Headline
GHSA-mhpj-7m7h-8p6x: Pimcore Cross-site Scripting (XSS) in Static Routes name field
Impact
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie or redirect users to other malicious sites.
Patches
Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch
Workarounds
Apply patches manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch
References
https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801/
Skip to content
Sign up
CVE-2023-2616
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
Explore
* All features
* Documentation
* GitHub Skills
* Blog
For
- Enterprise
- Teams
- Startups
- Education
By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
Case Studies
- Customer Stories
- Resources
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Repositories
* Topics
* Trending
* Collections
Pricing
Search All GitHub
No suggested jump to results
Search All GitHub
Search All GitHub
Search All GitHub
Sign in
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-2616
Pimcore Cross-site Scripting (XSS) in Static Routes name field
Moderate severity GitHub Reviewed Published May 10, 2023 in pimcore/pimcore
Vulnerability details Dependabot alerts 0
Package
composer pimcore/pimcore (Composer)
Affected versions
< 10.5.21
Patched versions
10.5.21
Description
Impact
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie or redirect users to other malicious sites.
Patches
Update to version 10.5.21 or apply this patch manually:
https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch
Workarounds
Apply patches manually:
https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch
References
https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801/
References
- GHSA-mhpj-7m7h-8p6x
- https://nvd.nist.gov/vuln/detail/CVE-2023-2616
- pimcore/pimcore@07a2c95
- https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801
dvesh3 published to pimcore/pimcore
May 10, 2023
Published to the GitHub Advisory Database
May 11, 2023
Reviewed
May 11, 2023
Severity
Moderate
6.8
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Weaknesses
CWE-79
CVE ID
CVE-2023-2616
GHSA ID
GHSA-mhpj-7m7h-8p6x
Source code
pimcore/pimcore
Credits
- sampritdas8 Reporter
Checking history
See something to contribute? Suggest improvements for this vulnerability.
Related news
### Impact This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-002-user-settings-are-accessible-on-the-front-end-for-the-anonymous-user
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.