An open API service providing security vulnerability metadata for many open source software ecosystems.
pimcore is vulnerable to cross-site scripting via "title field " in data objects
The vulnerability is capable of resulting in stolen user cookies.
Proof of Concept
Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective= Go to setting --> data objects --> classes --> events Click media under genaral settings Add payload in title field. Go to data objects module and open events, xss will trigger // PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">
Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch
Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.
Source: GitHub Advisory Database
Published: 18 days ago
Updated: 14 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-6vf6-g3pr-j83h, CVE-2023-0323
Fixed in: 10.5.14