Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-1286

CVE-2023-1286:
Cross-site Scripting (XSS) in pimcore/pimcore

4.8

CVSS Score

Basic Information

CVE ID
CVE-2023-1286
GHSA ID
GHSA-8jv7-vwrc-mv4g
EPSS Score
-
CWE
CWE-79
Published
3/9/2023
Updated
3/15/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.1910.5.19

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the unencoded rendering of text-type values in the PDF preview grid renderer. The pre-patch code handled 'bool' and 'select' types but omitted HTML encoding for 'text' type values. The patch added Ext.util.Format.htmlEncode() for text inputs, confirming this was the XSS vector. The function's direct role in generating HTML from user-controlled input without encoding makes it clearly vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository pim*or*/pim*or* prior to **.*.**.

Reasoning

T** vuln*r**ility st*ms *rom t** un*n*o*** r*n**rin* o* t*xt-typ* v*lu*s in t** P** pr*vi*w *ri* r*n**r*r. T** pr*-p*t** *o** **n*l** '*ool' *n* 's*l**t' typ*s *ut omitt** *TML *n*o*in* *or 't*xt' typ* v*lu*s. T** p*t** ***** *xt.util.*orm*t.*tml*n*o