Miggo Logo
Miggo Vulnerability Database
CVE-2023-25240

CVE-2023-25240: SameSite Attribute vulnerability in pimCore

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-25240
GHSA ID
GHSA-r2vq-p658-p274
EPSS Score
0.00063%
CWE
-
Published
2/13/2023
Updated
2/23/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.1610.5.16

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper SameSite attribute configuration in session cookies (specifically PHPSESSID), allowing cross-site request forgery and session hijacking. While exact code isn't available, session management functions are inherently involved in cookie attribute configuration. The exploit demonstrates cookie theft leading to admin panel/modules/plugins/ access, indicating the session initialization/cookie-setting functions didn't enforce SameSite=Lax/Strict. This matches CWE-1265's focus on unintended invocation vectors via insecure context propagation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r S*m*Sit* *ttri*ut* vuln*r**ility in pim*or* v**.*.** *llows *tt**k*rs to *x**ut* *r*itr*ry *o**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r S*m*Sit* *ttri*ut* *on*i*ur*tion in s*ssion *ooki*s (sp**i*i**lly `P*PS*SSI*`), *llowin* *ross-sit* r*qu*st *or**ry *n* s*ssion *ij**kin*. W*il* *x**t *o** isn't *v*il**l*, s*ssion m*n***m*nt `*un*tions` *r* in**