Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1janY2LXc1aGYtNXdyNs4AAzAA

Cross-site Scripting (XSS) in Ecommerce Pricing Rules name field

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/e88fa79de7b5903fb58ddbc231130b04d937d79e.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/e88fa79de7b5903fb58ddbc231130b04d937d79e.patch manually.

References

https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/

Permalink: https://github.com/advisories/GHSA-cjv6-w5hf-5wr6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1janY2LXc1aGYtNXdyNs4AAzAA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 6.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

EPSS Percentage: 0.00059
EPSS Percentile: 0.26496

Identifiers: GHSA-cjv6-w5hf-5wr6, CVE-2023-2323
References: Repository: https://github.com/pimcore/pimcore
Blast Radius: 16.9

Affected Packages

packagist:pimcore/pimcore
Dependent packages: 316
Dependent repositories: 308
Downloads: 2,862,128 total
Affected Version Ranges: < 10.5.21
Fixed in: 10.5.21
All affected versions: 2.2.0, 2.2.1, 2.2.2, 2.3.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.4, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.8.9, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.1.0, 6.1.1, 6.1.2, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.8.5, 6.8.6, 6.8.7, 6.8.8, 6.8.9, 6.8.10, 6.8.11, 6.8.12, 6.9.0, 6.9.1, 6.9.2, 6.9.3, 6.9.4, 6.9.5, 6.9.6, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5, 10.0.6, 10.0.7, 10.0.8, 10.0.9, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.2.9, 10.2.10, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.5.9, 10.5.10, 10.5.11, 10.5.12, 10.5.13, 10.5.14, 10.5.15, 10.5.16, 10.5.17, 10.5.18, 10.5.19, 10.5.20
All unaffected versions: 10.5.21, 10.5.22, 10.5.23, 10.5.24, 10.5.25, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.6.7, 10.6.8, 10.6.9, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.0.9, 11.0.10, 11.0.11, 11.0.12, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.1.4, 11.1.5, 11.1.6, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 11.2.5, 11.2.6, 11.2.7, 11.3.0, 11.3.1, 11.3.2, 11.3.3, 11.4.0, 11.4.1, 11.4.2, 11.4.3, 11.4.4, 11.5.0, 11.5.1