Lucene search

GitHub Advisory DatabaseGHSA-WQR6-57QM-HHR5

HistorySep 22, 2022 - 12:00 a.m.

Pimcore vulnerable to cross site scripting

2022-09-2200:00:30

CWE-79

GitHub Advisory Database

github.com

pimcore

cross-site scripting

xss

security patch

version 10.5.7

application vulnerability

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user. Amongst other things, the attacker can perform any action within the application that the user can perform; view any information that the user is able to view; modify any information that the user is able to modify; and/or initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. A patch for this issue is available at commit 1e916e7d668c9e47b217e20cc0ea4812f466201b and anticipated to be part of version 10.5.7.

Affected configurations

Vulners

Node

pimcorepimcoreRange≤10.5.6

VendorProductVersionCPE
pimcorepimcore*cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pimcore	pimcore	*	cpe:2.3:a:pimcore:pimcore::::::::

References

github.com/advisories/GHSA-wqr6-57qm-hhr5

github.com/pimcore/pimcore/commit/1e916e7d668c9e47b217e20cc0ea4812f466201b

huntr.dev/bounties/0ea45cf9-b256-454c-9031-2435294c0902

nvd.nist.gov/vuln/detail/CVE-2022-3255