GHSA-2295-vh28-pphc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2295-vh28-pphc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-2295-vh28-pphc/GHSA-2295-vh28-pphc.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-2295-vh28-pphc
- Aliases
- Published
- 2023-04-27T19:37:45Z
- Modified
- 2023-11-07T05:30:56.258926Z
- Severity
-
- 5.2 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- Cross-site Scripting (XSS) in DataObjects QuantityValue Unit Definition
- Details
-
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
Patches
Update to version 10.5.21 or apply these patches manually https://github.com/pimcore/pimcore/commit/e3562bfe249c557d15474c9a0acd5e06628521fe.patch https://github.com/pimcore/pimcore/commit/b9c9ca2371aa643dbc4caca162ff3400266ff96f.patch
Workarounds
Apply patches: https://github.com/pimcore/pimcore/commit/e3562bfe249c557d15474c9a0acd5e06628521fe.patch https://github.com/pimcore/pimcore/commit/b9c9ca2371aa643dbc4caca162ff3400266ff96f.patch
References
https://huntr.dev/bounties/01a44584-e36b-46f4-ad94-53af488397f6/
- Database specific
{ "nvd_published_at": "2023-04-27T10:15:09Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-04-27T19:37:45Z" }- References
-
- https://github.com/pimcore/pimcore/security/advisories/GHSA-2295-vh28-pphc
- https://nvd.nist.gov/vuln/detail/CVE-2023-2328
- https://github.com/pimcore/pimcore/commit/e3562bfe249c557d15474c9a0acd5e06628521fe
- https://github.com/pimcore/pimcore
- https://huntr.dev/bounties/01a44584-e36b-46f4-ad94-53af488397f6
Affected packages
Packagist / pimcore/pimcore
Package
- Name
- pimcore/pimcore
- Purl
- pkg:composer/pimcore/pimcore
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.5.21
Affected versions
2.*
2.2.0
2.2.1
2.2.2
2.3.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.1.1
4.*
4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5
v5.*
v5.0.0-RC
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0-alpha
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9
v6.*
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.4.0
v6.4.1
v6.4.2
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.6.10
v6.6.11
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.8.10
v6.8.11
v6.8.12
v6.9.0
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v10.*
v10.0.0-BETA1
v10.0.0-BETA2
v10.0.0-BETA3
v10.0.0-BETA4
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.9
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.1.4
v10.1.5
v10.2.0
v10.2.1
v10.2.2
v10.2.3
v10.2.4
v10.2.5
v10.2.6
v10.2.7
v10.2.8
v10.2.9
v10.2.10
v10.3.0
v10.3.1
v10.3.2
v10.3.3
v10.3.4
v10.3.5
v10.3.6
v10.3.7
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.5.0
v10.5.1
v10.5.2
v10.5.3
v10.5.4
v10.5.5
v10.5.6
v10.5.7
v10.5.8
v10.5.9
v10.5.10
v10.5.11
v10.5.12
v10.5.13
v10.5.14
v10.5.15
v10.5.16
v10.5.17
v10.5.18
v10.5.19
v10.5.20
10.*
10.0.8