Miggo Logo
Miggo Vulnerability Database
CVE-2023-2614

CVE-2023-2614: Pimcore Cross-site Scripting (XSS) in name field of Custom Reports

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-2614
GHSA ID
GHSA-m6m9-gr85-79vm
EPSS Score
0.00077%
CWE
-
Published
5/10/2023
Updated
5/10/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.5.2110.5.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation in PHP controller actions (add/clone/update) and insufficient output encoding in the JavaScript deleteField function. The patch adds regex validation (isValidConfigName) to restrict the 'name' field to safe characters and implements proper HTML encoding/decoding in the JS confirmation dialog. The absence of these mitigations in the original code made the listed functions vulnerable to XSS via malicious report names.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **s t** pot*nti*l to st**l * us*r's *ooki* *n* **in un*ut*oriz** ****ss to t**t us*r's ***ount t*rou** t** stol*n *ooki* or r**ir**t us*rs to ot**r m*li*ious sit*s. ### P*t***s Up**t* to v*rsion **.*.** or *pply t*is p*

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion in `P*P` *ontroll*r **tions (***/*lon*/up**t*) *n* insu**i*i*nt output *n*o*in* in t** `J*v*S*ript` `**l*t**i*l*` *un*tion. T** p*t** ***s r***x v*li**tion (`isV*li**on*i*N*m*`) to r*stri*t t** 'n