Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2023-2322

CVE-2023-2322:
Cross-site Scripting (XSS) in Document Properties Parameter

5.2

CVSS Score

Basic Information

CVE ID
CVE-2023-2322
GHSA ID
GHSA-476g-v7hf-cw5m
EPSS Score
-
CWE
CWE-79
Published
4/27/2023
Updated
11/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.2110.5.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch adds Ext.util.Format.htmlEncode() to sanitize 'parameters' and 'anchor' values in the URL construction. The pre-patch code (line 101 in the diff) lacked encoding, making it vulnerable to XSS via malicious query parameters or anchors. The vulnerability manifests in the client-side JavaScript code responsible for rendering document properties, specifically in the editable link component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **s t** pot*nti*l to st**l * us*r's *ooki* *n* **in un*ut*oriz** ****ss to t**t us*r's ***ount t*rou** t** stol*n *ooki* or r**ir**t us*rs to ot**r m*li*ious sit*s. ### P*t***s Up**t* to v*rsion **.*.** or *pply t*is p*

Reasoning

T** p*t** ***s *xt.util.*orm*t.*tml*n*o**() to s*nitiz* 'p*r*m*t*rs' *n* '*n**or' v*lu*s in t** URL *onstru*tion. T** pr*-p*t** *o** (lin* *** in t** *i**) l**k** *n*o*in*, m*kin* it vuln*r**l* to XSS vi* m*li*ious qu*ry p*r*m*t*rs or *n**ors. T** vu