Skip to content

Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug

Moderate severity GitHub Reviewed Published Feb 15, 2023 in pimcore/pimcore

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.17

Patched versions

10.5.17

Description

Impact

An attacker can use XSS to send a malicious script to an unsuspecting user.

Patches

Update to version 10.5.17 or apply this patch manually https://github.com/pimcore/pimcore/pull/14301.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/14301.patch manually.

References

https://huntr.dev/bounties/75bc7d07-46a7-4ed9-a405-af4fc47fb422/

References

@dvesh3 dvesh3 published to pimcore/pimcore Feb 15, 2023
Published to the GitHub Advisory Database Feb 15, 2023
Reviewed Feb 15, 2023

Severity

Moderate

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-76r7-h46w-463r

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.