Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1nOTN4LWZtMnctNXB4d84AAzAU

Moderate EPSS: 1.0e-05% (0.00021 Percentile) EPSS:
Permalink JSON

Cross-site Scripting (XSS) in DataObject columns grid

Affected Packages Affected Versions Fixed Versions
packagist:pimcore/pimcore < 10.5.21 10.5.21
316 Dependent packages
308 Dependent repositories
3,484,503 Downloads total

Affected Version Ranges

All affected versions

2.2.0, 2.2.1, 2.2.2, 2.3.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.3.0, 4.3.1, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.5.0, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, v5.0.0, v5.0.0-RC, v5.0.1, v5.0.2, v5.0.3, v5.0.4, v5.1.0, v5.1.0-alpha, v5.1.1, v5.1.2, v5.1.3, v5.2.0, v5.2.1, v5.2.2, v5.2.3, v5.3.0, v5.3.1, v5.4.0, v5.4.1, v5.4.2, v5.4.3, v5.4.4, v5.5.0, v5.5.1, v5.5.2, v5.5.3, v5.5.4, v5.6.0, v5.6.1, v5.6.2, v5.6.3, v5.6.4, v5.6.5, v5.6.6, v5.7.0, v5.7.1, v5.7.2, v5.7.3, v5.8.0, v5.8.1, v5.8.2, v5.8.3, v5.8.4, v5.8.5, v5.8.6, v5.8.7, v5.8.8, v5.8.9, v6.0.0, v6.0.1, v6.0.2, v6.0.3, v6.0.4, v6.0.5, v6.1.0, v6.1.1, v6.1.2, v6.2.0, v6.2.1, v6.2.2, v6.2.3, v6.3.0, v6.3.1, v6.3.2, v6.3.3, v6.3.4, v6.3.5, v6.3.6, v6.4.0, v6.4.1, v6.4.2, v6.5.0, v6.5.1, v6.5.2, v6.5.3, v6.6.0, v6.6.1, v6.6.2, v6.6.3, v6.6.4, v6.6.5, v6.6.6, v6.6.7, v6.6.8, v6.6.9, v6.6.10, v6.6.11, v6.7.0, v6.7.1, v6.7.2, v6.7.3, v6.8.0, v6.8.1, v6.8.2, v6.8.3, v6.8.4, v6.8.5, v6.8.6, v6.8.7, v6.8.8, v6.8.9, v6.8.10, v6.8.11, v6.8.12, v6.9.0, v6.9.1, v6.9.2, v6.9.3, v6.9.4, v6.9.5, v6.9.6, v10.0.0, v10.0.0-BETA1, v10.0.0-BETA2, v10.0.0-BETA3, v10.0.0-BETA4, v10.0.1, v10.0.2, v10.0.3, v10.0.4, v10.0.5, v10.0.6, v10.0.7, 10.0.8, v10.0.9, v10.1.0, v10.1.1, v10.1.2, v10.1.3, v10.1.4, v10.1.5, v10.2.0, v10.2.1, v10.2.2, v10.2.3, v10.2.4, v10.2.5, v10.2.6, v10.2.7, v10.2.8, v10.2.9, v10.2.10, v10.3.0, v10.3.1, v10.3.2, v10.3.3, v10.3.4, v10.3.5, v10.3.6, v10.3.7, v10.4.0, v10.4.1, v10.4.2, v10.4.3, v10.4.4, v10.4.5, v10.4.6, v10.5.0, v10.5.1, v10.5.2, v10.5.3, v10.5.4, v10.5.5, v10.5.6, v10.5.7, v10.5.8, v10.5.9, v10.5.10, v10.5.11, v10.5.12, v10.5.13, v10.5.14, v10.5.15, v10.5.16, v10.5.17, v10.5.18, v10.5.19, v10.5.20

All unaffected versions

v10.5.21, v10.5.22, v10.5.23, v10.5.24, v10.5.25, v10.6.0, v10.6.1, v10.6.2, v10.6.3, v10.6.4, v10.6.5, v10.6.6, v10.6.7, v10.6.8, v10.6.9, v11.0.0, v11.0.1, v11.0.2, v11.0.3, v11.0.4, v11.0.5, v11.0.6, v11.0.7, v11.0.8, v11.0.9, v11.0.10, v11.0.11, v11.0.12, v11.1.0, v11.1.1, v11.1.2, v11.1.3, v11.1.4, v11.1.5, v11.1.6, v11.2.0, v11.2.1, v11.2.2, v11.2.3, v11.2.4, v11.2.5, v11.2.6, v11.2.7, v11.3.0, v11.3.1, v11.3.2, v11.3.3, v11.4.0, v11.4.1, v11.4.2, v11.4.3, v11.4.4, v11.5.0, v11.5.1, v11.5.2, v11.5.3, v11.5.4, v11.5.5, v11.5.6, v11.5.7, v11.5.8, v11.5.9, v11.5.10, v11.5.11, v11.5.12, v11.5.13, v12.0.0, v12.0.1, v12.0.2, v12.0.3, v12.0.4, v12.1.0, v12.1.1, v12.1.2, v12.1.3, v12.1.4, v12.1.5, v12.2.0, v12.2.1, v12.2.2, v12.2.3, v12.2.4, v12.3.0

Impact

The attacker is capable to stolen the user session cookie. it will leads to complete account takeover.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e.patch manually.

References

https://huntr.dev/bounties/964762b0-b4fe-441c-81e1-0ebdbbf80f3b/

References:

Identifiers

GHSA-g93x-fm2w-5pxw

CVE-2023-2340

Risk

Severity

Moderate

EPSS

EPSS Percentage: 1.0e-05

EPSS Percentile: 0.00021

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pimcore/pimcore

Date and time

Published

over 2 years ago

Updated

21 days ago

API

JSON