6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-2341

GHSA ID

GHSA-fq95-rx4q-qgg2

EPSS Score

0.00252%

CWE

CWE-79

Published

4/27/2023

Updated

11/11/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2341

CVE-2023-2341: Cross-site Scripting (XSS) in Admin Login too many attempts notice

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch manually.

References

https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d/

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-2341

GHSA ID

GHSA-fq95-rx4q-qgg2

EPSS Score

0.00252%

CWE

CWE-79

Published

4/27/2023

Updated

11/11/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/pimcore	composer	< 10.5.21	10.5.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the line $params['error'] = $request->get('too_many_attempts') in loginAction, which took untrusted input from the request parameter and passed it to the view without HTML escaping. The patch adds SecurityHelper::convertHtmlSpecialChars() to sanitize this input, confirming the parameter was vulnerable to direct XSS injection. The function's role in handling login error messages makes it the clear injection point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t M*li*ious J*v*S*ript **s ****ss to *ll t** s*m* o*j**ts *s t** r*st o* t** w** p***, in*lu*in* ****ss to *ooki*s *n* lo**l stor***, w*i** *r* o*t*n us** to stor* s*ssion tok*ns. I* *n *tt**k*r **n o*t*in * us*r's s*ssion *ooki*, t**y **n t

Reasoning

T** vuln*r**ility st*ms *rom t** lin* `$p*r*ms['*rror'] = $r*qu*st->**t('too_m*ny_*tt*mpts')` in lo*in**tion, w*i** took untrust** input *rom t** r*qu*st p*r*m*t*r *n* p*ss** it to t** vi*w wit*out *TML *s**pin*. T** p*t** ***s S**urity**lp*r::*onv*r

6.1

Basic Information

Concerned about an active attack path?

CVE-2023-2341: Cross-site Scripting (XSS) in Admin Login too many attempts notice

Impact

Patches

Workarounds

References

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI