Miggo Logo

CVE-2022-0565: Exposure of Sensitive Information to an Unauthorized Actor in pimcore

6.4

CVSS Score
3.1

Basic Information

EPSS Score
0.11759%
Published
2/15/2022
Updated
1/26/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.3.110.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues:

  1. In SettingsController's logo upload: The original <script> tag check was inadequate (CWE-79). The patch introduced proper SVG sanitization.
  2. General asset handling lacked SVG sanitization (CWE-200/CWE-79). The new AssetSanitizationListener added in the patch confirms this was previously missing. Both scenarios allowed unauthorized actors to exfiltrate data or execute scripts via crafted SVGs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*xposur* o* S*nsitiv* In*orm*tion to *n Un*ut*oriz** **tor in P**k**ist pim*or*/pim*or* prior to **.*.*.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *. In S*ttin*s*ontroll*r's lo*o uplo**: T** ori*in*l <s*ript> t** ****k w*s in***qu*t* (*W*-**). T** p*t** intro*u*** prop*r SV* s*nitiz*tion. *. **n*r*l *ss*t **n*lin* l**k** SV* s*nitiz*tion (*W*-***/*W*