5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-0323

GHSA ID

GHSA-6vf6-g3pr-j83h

EPSS Score

0.00051%

CWE

CWE-79

Published

1/20/2023

Updated

1/24/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-0323

CVE-2023-0323: pimcore is vulnerable to cross-site scripting via "title field " in data objects

Impact

The vulnerability is capable of resulting in stolen user cookies.

Proof of Concept

Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=

Go to setting --> data objects --> classes --> events

Click media under genaral settings

Add payload in title field.

Go to data objects module and open events, xss will trigger

// PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">

Patches

Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.

References

https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-0323

GHSA ID

GHSA-6vf6-g3pr-j83h

EPSS Score

0.00051%

CWE

CWE-79

Published

1/20/2023

Updated

1/24/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/pimcore	composer	< 10.5.14	10.5.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unvalidated 'title' field input in class definitions. The patch adds a regex check for HTML tags in the title field within generateLayoutTreeFromArray(). Before this fix, the function did not sanitize title values, enabling XSS when malicious titles were rendered in admin interfaces. The function's direct handling of user-controlled title input and the specific patch location confirm its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility is **p**l* o* r*sultin* in stol*n us*r *ooki*s. #### Proo* o* *on**pt ``` Lo*in wit* **v ***ount *ttps://**.x-**v.pim*or*.*un/**min/?_**=**********&p*rsp**tiv*= *o to s*ttin* --> **t* o*j**ts --> *l*ss*s --> *v*nts *li

Reasoning

T** vuln*r**ility st*ms *rom unv*li**t** 'titl*' *i*l* input in *l*ss ***initions. T** p*t** ***s * r***x ****k *or *TML t**s in t** titl* *i*l* wit*in `**n*r*t*L*youtTr***rom*rr*y()`. ***or* t*is *ix, t** *un*tion *i* not s*nitiz* titl* v*lu*s, *n**

5.4

Basic Information

Concerned about an active attack path?

CVE-2023-0323: pimcore is vulnerable to cross-site scripting via "title field " in data objects

Impact

Proof of Concept

Patches

Workarounds

References

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI