Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NmhwLTM4d3gtajN3Y84AAx57
Pimcore vulnerable to Cross Site Scripting in Email Blacklist
Impact
The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user's session.
Patches
Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/pull/14467.patch
Workarounds
Apply https://github.com/pimcore/pimcore/pull/14467.patch manually.
References
https://huntr.dev/bounties/3245ff99-9adf-4db9-af94-f995747e09d1/
Permalink: https://github.com/advisories/GHSA-96hp-38wx-j3wcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NmhwLTM4d3gtajN3Y84AAx57
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-96hp-38wx-j3wc, CVE-2023-1116
References:
- https://github.com/pimcore/pimcore/security/advisories/GHSA-96hp-38wx-j3wc
- https://nvd.nist.gov/vuln/detail/CVE-2023-1116
- https://github.com/pimcore/pimcore/pull/14467.patch
- https://github.com/pimcore/pimcore/commit/f6d322efa207a737eedd8726b7c92e957a83341e
- https://huntr.dev/bounties/3245ff99-9adf-4db9-af94-f995747e09d1
- https://github.com/advisories/GHSA-96hp-38wx-j3wc
Affected Packages
packagist:pimcore/pimcore
Versions: < 10.5.18Fixed in: 10.5.18