6.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-g947-422m-hr7p

GHSA-g947-422m-hr7p: Duplicate Advisory: Pimcore Cross-site Scripting (XSS) in Static Routes name field

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mhpj-7m7h-8p6x. This link is maintained to preserve external references.

Original Description

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-g947-422m-hr7p

GHSA-g947-422m-hr7p:

6.8

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/pimcore	composer	< 10.5.21	10.5.21

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from multiple layers of missing encoding:

Server-side SecurityHelper's original regex filter failed to handle HTML metacharacters
Model setters directly stored unencoded values
Client-side UI components lacked input sanitization These functions collectively allowed XSS payloads to be stored and executed in admin panels. The patch replaced regex filtering with proper htmlspecialchars encoding and added client-side encoding handlers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.8

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-g947-422m-hr7p: Duplicate Advisory: Pimcore Cross-site Scripting (XSS) in Static Routes name field

Duplicate Advisory

Original Description

GHSA-g947-422m-hr7p:

6.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

GHSA-g947-422m-hr7p: Duplicate Advisory: Pimcore Cross-site Scripting (XSS) in Static Routes name field

Duplicate Advisory

Original Description

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

6.8

6.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI