CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
23.9%
As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.
Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.
https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
Vendor | Product | Version | CPE |
---|---|---|---|
pimcore | customer_management_framework | * | cpe:2.3:a:pimcore:customer_management_framework:*:*:*:*:*:pimcore:*:* |
github.com/advisories/GHSA-735f-w79p-282x
github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2
github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282x
huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0
nvd.nist.gov/vuln/detail/CVE-2023-4145