Miggo Logo
Miggo Vulnerability Database
CVE-2023-2730

CVE-2023-2730: Pimcore Cross-site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-2730
GHSA ID
GHSA-q3p4-v2cm-q945
EPSS Score
0.00203%
CWE
CWE-79
Published
5/16/2023
Updated
11/4/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 10.3.310.3.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped user input in the SEO settings panel. The commit diff shows that the fix involved adding htmlspecialchars() to the title and description values in the updateSerpPreview function. Prior to 10.3.3, these values were directly injected into the SERP preview context without sanitization, making this function the XSS injection point. The patch confirms the vulnerability was in this specific JavaScript logic handling user-controlled metadata fields.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pim*or* prior to **.*.* is vuln*r**l* to stor** *ross-sit* s*riptin* *t t** `Titl* *i*l*` in `S*O & S*ttin*s` t** o* `*o*um*nt`.

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r input in t** S*O s*ttin*s p*n*l. T** *ommit *i** s*ows t**t t** *ix involv** ***in* *tmlsp**i*l***rs() to t** titl* *n* **s*ription v*lu*s in t** up**t*S*rpPr*vi*w *un*tion. Prior to **.*.*, t**s* v*lu*s w*