Miggo Logo

CVE-2019-18656: Pimcore XSS Vulnerability

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.00203%
Published
5/24/2022
Updated
9/26/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 6.3.06.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the lack of input sanitization in the translations grid rendering logic. The patch introduced a renderer function that applies strip_tags and replace_html_event_attributes to sanitize the output. In vulnerable versions, the create method in translations.js defined grid columns without this renderer, leaving user-supplied HTML/JavaScript unneutralized. The explicit addition of the renderer in the patch confirms this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pim*or* *prior to *.*.* **s XSS in t** tr*nsl*tions *ri* ****us* `*un*l*s/**min*un*l*/R*sour**s/pu*li*/js/pim*or*/s*ttin*s/tr*nsl*tions.js` mis**n*l*s **rt*in *TML *l*m*nts.

Reasoning

T** vuln*r**ility st*ms *rom t** l**k o* input s*nitiz*tion in t** tr*nsl*tions *ri* r*n**rin* lo*i*. T** p*t** intro*u*** * `r*n**r*r` *un*tion t**t *ppli*s `strip_t**s` *n* `r*pl***_*tml_*v*nt_*ttri*ut*s` to s*nitiz* t** output. In vuln*r**l* v*rsi