CVE-2023-42817Cross-site Scripting in Admin-ui-classic-bundle

CWE-79Cross-site Scripting4 documents4 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 99.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pimcore Admin-ui-classic-bundlePimcore Admin Classic Bundle
Timeline
PublishedSep 25

Description

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been pat

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations2023-09-25
OSV
pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations2023-09-25
CVEList
Cross-site Scripting (XSS) in pimcore admin-ui-classic-bundle translations2023-09-25
CVE-2023-42817 — Cross-site Scripting | cvebase