GHSA-fq95-rx4q-qgg2

Suggest an improvement
Source
https://github.com/advisories/GHSA-fq95-rx4q-qgg2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-fq95-rx4q-qgg2/GHSA-fq95-rx4q-qgg2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fq95-rx4q-qgg2
Aliases
Published
2023-04-27T17:12:46Z
Modified
2023-11-11T05:31:12.618125Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting (XSS) in Admin Login too many attempts notice
Details

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch manually.

References

https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d/

Database specific
{
    "nvd_published_at": "2023-04-27T14:15:09Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-27T17:12:46Z"
}
References

Affected packages

Packagist / pimcore/pimcore

Package

Name
pimcore/pimcore
Purl
pkg:composer/pimcore/pimcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.5.21

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.3.0

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.1.0
3.1.1

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.1.2
4.1.3
4.2.0
4.3.0
4.3.1
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.6.0
4.6.1
4.6.2
4.6.3
4.6.4
4.6.5

v5.*

v5.0.0-RC
v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.1.0-alpha
v5.1.0
v5.1.1
v5.1.2
v5.1.3
v5.2.0
v5.2.1
v5.2.2
v5.2.3
v5.3.0
v5.3.1
v5.4.0
v5.4.1
v5.4.2
v5.4.3
v5.4.4
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.5.4
v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9

v6.*

v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.1.0
v6.1.1
v6.1.2
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.4.0
v6.4.1
v6.4.2
v6.5.0
v6.5.1
v6.5.2
v6.5.3
v6.6.0
v6.6.1
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.6.10
v6.6.11
v6.7.0
v6.7.1
v6.7.2
v6.7.3
v6.8.0
v6.8.1
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.8.10
v6.8.11
v6.8.12
v6.9.0
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6

v10.*

v10.0.0-BETA1
v10.0.0-BETA2
v10.0.0-BETA3
v10.0.0-BETA4
v10.0.0
v10.0.1
v10.0.2
v10.0.3
v10.0.4
v10.0.5
v10.0.6
v10.0.7
v10.0.9
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.1.4
v10.1.5
v10.2.0
v10.2.1
v10.2.2
v10.2.3
v10.2.4
v10.2.5
v10.2.6
v10.2.7
v10.2.8
v10.2.9
v10.2.10
v10.3.0
v10.3.1
v10.3.2
v10.3.3
v10.3.4
v10.3.5
v10.3.6
v10.3.7
v10.4.0
v10.4.1
v10.4.2
v10.4.3
v10.4.4
v10.4.5
v10.4.6
v10.5.0
v10.5.1
v10.5.2
v10.5.3
v10.5.4
v10.5.5
v10.5.6
v10.5.7
v10.5.8
v10.5.9
v10.5.10
v10.5.11
v10.5.12
v10.5.13
v10.5.14
v10.5.15
v10.5.16
v10.5.17
v10.5.18
v10.5.19
v10.5.20

10.*

10.0.8