CVE-2023-1517

Cross-site Scripting XSS - DOM in GitHub repository pimcore/pimcore prior to 10.5.19...

CVE-2023-1312

Cross-site Scripting XSS - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19...

CVE-2023-2332 Stored Cross-site Scripting (XSS) in pimcore/pimcore

A stored Cross-site Scripting XSS vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of...

Pimcore 跨站脚本漏洞

Pimcore is an open source Web content management platform for creating and managing Web applications from the Austrian company Pimcore. The platform integrates Web content management, e-commerce frameworks and product information management applications. A cross-site scripting vulnerability exist...

PT-2023-18905 · Pimcore · Pimcore

Name of the Vulnerable Software and Affected Versions: pimcore/pimcore version 10.5.19 Description: A stored Cross-site Scripting XSS vulnerability exists in the Conditions tab of Pricing Rules, specifically in the From and To fields of the Date Range section. This allows an attacker to inject...

Pimcore vulnerable to improper quoting of filters in Custom Reports

Impact Since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by manipulating a user to click on a link. The impact of this path traversal and arbitra...

Cross site request forgery (csrf)

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by...

CVE-2023-28438 Pimcore vulnerable to improper quoting of filters in Custom Reports

Pimcore is an open source data and experience management platform. Prior to version 10.5.19, since a user with 'report' permission can already write arbitrary SQL queries and given the fact that this endpoint is using the GET method no CSRF protection, an attacker can inject an arbitrary query by...

Pimcore Remote Code Execution vulnerability in Search function

Impact Attacker can get full DB and maybe RCE knowing the WEBROOT path Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch Workarounds Apply patch...

GHSA-42C3-WVWW-GCQJ Pimcore Remote Code Execution vulnerability in Search function

Impact Attacker can get full DB and maybe RCE knowing the WEBROOT path Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/commit/367b74488808d71ec3f66f4ca9e8df5217c2c8d2.patch Workarounds Apply patch...

CVE-2023-1578 SQL Injection in pimcore/pimcore

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19...

Pimcore has Cross-site Scripting vulnerability in DataObject tooltip field

Impact Unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.19 or apply this...

Pimcore 跨站脚本漏洞

Pimcore is Austria Pimcore company's set of open source for creating and managing Web applications Web content management platform. The platform integrates Web content management, e-commerce frameworks and product information management applications. A cross-site scripting vulnerability exists in...

CVE-2023-1517 Cross-site Scripting (XSS) - DOM in pimcore/pimcore

Cross-site Scripting XSS - DOM in GitHub repository pimcore/pimcore prior to 10.5.19...

Pimcore 跨站脚本漏洞

Pimcore is Austria's Pimcore company's set of open source for the creation and management of Web applications Web content management platform. The platform integrates Web content management, e-commerce frameworks and product information management applications. A cross-site scripting vulnerabilit...

Improper quoting of columns when calling methods "getByUuid" & "exists" on UUID Model

Impact The quoting is not done properly in UUID DAO model, so there's the theoretical possibility to inject custom SQL if the developer is using this methods with input data and not doing proper input validation in advance and so relies on the auto-quoting being done by the DAO class. Patches...

GHSA-X5J3-MQ9G-8JC8 Cross-site Scripting (XSS) in UrlSlug Data type

Impact An attacker can use XSS to send a malicious script to an unsuspecting user. Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14669.patch Workarounds Apply https://github.com/pimcore/pimcore/pull/14669.patch manually. References...

Cross-site Scripting (XSS) in UrlSlug Data type

Impact An attacker can use XSS to send a malicious script to an unsuspecting user. Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14669.patch Workarounds Apply https://github.com/pimcore/pimcore/pull/14669.patch manually. References...

Reflected XSS in Application Logger module

Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.19 or apply this patch manually...

GHSA-3223-W774-99FQ Cross-site Scripting (XSS) in Document Types

Impact Unsecured Name field in Document Types module in Settings. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Patches Update to version 10.5.19 or apply this...