CVE-2023-28429

EPSS 0.54%
Veröffentlicht 20.03.2023 15:15:12
Zuletzt bearbeitet 21.11.2024 07:55:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Pimcore has Cross-site Scripting vulnerability in DataObject tooltip field

Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 10.5.19 or, as a workaround, apply the patch manually.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pimcore ≫ Pimcore Version < 10.5.19

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.54%	0.413

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/pimcore/pimcore/pull/14574

Patch

https://github.com/pimcore/pimcore/pull/14574.patch

Patch

https://github.com/pimcore/pimcore/security/advisories/GHSA-rcg9-hrhx-6q69

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-28429

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28429

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28429

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-28429