We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-46722

Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews



Description

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.

Reserved 2023-10-25 | Published 2023-10-31 | Updated 2024-09-05 | Assigner GitHub_M


MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

< 1.2.0
affected

References

github.com/...bundle/security/advisories/GHSA-jfxw-6c5v-c42f

github.com/...ommit/19fda2e86557c2ed4978316104de5ccdaa66d8b9

github.com/...ommit/757375677dc83a44c6c22f26d97452cc5cda5d7c

cve.org (CVE-2023-46722)

nvd.nist.gov (CVE-2023-46722)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-46722

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.