CVE-2023-2327: Cross-site Scripting (XSS) in pimcore via DataObject Class date fields
4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.00041%
CWE
Published
4/27/2023
Updated
11/7/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| pimcore/pimcore | composer | < 10.5.21 | 10.5.21 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper input validation in date handling components. The patch adds type checks (typeof === 'object') and nullification of invalid inputs. The pre-patch code in both date.js and datetime.js accepted non-object values for date fields, which could be exploited to store malicious scripts that execute when rendered. The vulnerable functions directly handle user-controlled date input processing without adequate sanitization, making them the XSS injection points.