Miggo Logo
Miggo Vulnerability Database
CVE-2023-2327

CVE-2023-2327: Cross-site Scripting (XSS) in pimcore via DataObject Class date fields

4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-2327
GHSA ID
GHSA-x9xj-pqmv-8jf7
EPSS Score
0.00041%
CWE
CWE-79
Published
4/27/2023
Updated
11/7/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.2110.5.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in date handling components. The patch adds type checks (typeof === 'object') and nullification of invalid inputs. The pre-patch code in both date.js and datetime.js accepted non-object values for date fields, which could be exploited to store malicious scripts that execute when rendered. The vulnerable functions directly handle user-controlled date input processing without adequate sanitization, making them the XSS injection points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **s t** pot*nti*l to st**l * us*r's *ooki* *n* **in un*ut*oriz** ****ss to t**t us*r's ***ount t*rou** t** stol*n *ooki* or r**ir**t us*rs to ot**r m*li*ious sit*s. ### P*t***s Up**t* to v*rsion **.*.** or *pply t*is p*

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in **t* **n*lin* *ompon*nts. T** p*t** ***s typ* ****ks (typ*o* === 'o*j**t') *n* nulli*i**tion o* inv*li* inputs. T** pr*-p*t** *o** in *ot* `**t*.js` *n* `**t*tim*.js` ****pt** non-o*j**t v*lu*