Miggo Logo

CVE-2022-0260: Cross-site Scripting in pimcore

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.04359%
Published
1/26/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.2.910.2.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: (1) Lack of input sanitization when setting rule/target group names (via setName()) in add/save actions, and (2) Missing output encoding when rendering names in list views. The patch added both input validation (via correctName()) and output encoding (htmlspecialchars). The listed controller actions were vulnerable because they handled user-controlled 'name' parameters without these protections prior to the fix. High confidence comes from the direct correlation between the patch changes and these specific functions' pre-patch behavior.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pim*or* is vuln*r**l* to Stor** XSS *t N*m* *i*l* in t** s*ttin* t** o* t** *lo**l T*r**tin* Rul*s.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: (*) L**k o* input s*nitiz*tion w**n s*ttin* rul*/t*r**t *roup n*m*s (vi* `s*tN*m*()`) in ***/s*v* **tions, *n* (*) Missin* output *n*o*in* w**n r*n**rin* n*m*s in list vi*ws. T** p*t** ***** *ot* input v