Miggo Logo
Miggo Vulnerability Database
CVE-2023-2323

CVE-2023-2323: Cross-site Scripting (XSS) in Ecommerce Pricing Rules name field

6.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-2323
GHSA ID
GHSA-cjv6-w5hf-5wr6
EPSS Score
0.0003%
CWE
CWE-79
Published
4/27/2023
Updated
11/12/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.2110.5.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points:

  1. The PHP setName() method in Rule.php stored unsanitized user input (rule names) which could contain HTML/JS payloads. The patch adds SecurityHelper::convertHtmlSpecialChars to sanitize input.
  2. The JavaScript deleteRule() in panel.js displayed the stored rule name in a confirmation dialog without proper encoding. The patch adds explicit HTML decoding then encoding to prevent script execution. Both functions handle the XSS attack vector's storage and reflection phases respectively, making them clearly vulnerable before patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **s t** pot*nti*l to st**l * us*r's *ooki* *n* **in un*ut*oriz** ****ss to t**t us*r's ***ount t*rou** t** stol*n *ooki* or r**ir**t us*rs to ot**r m*li*ious sit*s. ### P*t***s Up**t* to v*rsion **.*.** or *pply t*is p*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. T** P*P s*tN*m*() m*t*o* in Rul*.p*p stor** uns*nitiz** us*r input (rul* n*m*s) w*i** *oul* *ont*in *TML/JS p*ylo**s. T** p*t** ***s S**urity**lp*r::*onv*rt*tmlSp**i*l***rs to s*nitiz* input. *. T** J*v