CVE-2023-2323: Cross-site Scripting (XSS) in Ecommerce Pricing Rules name field
6.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.0003%
CWE
Published
4/27/2023
Updated
11/12/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 10.5.21 | 10.5.21 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key points:
- The PHP setName() method in Rule.php stored unsanitized user input (rule names) which could contain HTML/JS payloads. The patch adds SecurityHelper::convertHtmlSpecialChars to sanitize input.
- The JavaScript deleteRule() in panel.js displayed the stored rule name in a confirmation dialog without proper encoding. The patch adds explicit HTML decoding then encoding to prevent script execution. Both functions handle the XSS attack vector's storage and reflection phases respectively, making them clearly vulnerable before patching.