Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xeGN3LXJmNHYtaHAyNs4AAx56
Pimcore vulnerable to Cross Site Scripting in image/video thumbnail config
Impact
An attacker can use XSS to send a malicious script to any user through Image/Video thumbnail config
Patches
Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/pull/14472.patch
Workarounds
Apply https://github.com/pimcore/pimcore/pull/14472.patch manually.
References
https://huntr.dev/bounties/e8c0044d-a31b-4347-b2d5-59fbf492da39/
Permalink: https://github.com/advisories/GHSA-qxcw-rf4v-hp26JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xeGN3LXJmNHYtaHAyNs4AAx56
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-qxcw-rf4v-hp26, CVE-2023-1117
References:
- https://github.com/pimcore/pimcore/security/advisories/GHSA-qxcw-rf4v-hp26
- https://nvd.nist.gov/vuln/detail/CVE-2023-1117
- https://github.com/pimcore/pimcore/commit/b9ba69f66d6a9986fb36f239661b98cd33a89853
- https://huntr.dev/bounties/e8c0044d-a31b-4347-b2d5-59fbf492da39
- https://github.com/advisories/GHSA-qxcw-rf4v-hp26
Affected Packages
packagist:pimcore/pimcore
Versions: < 10.5.18Fixed in: 10.5.18