CVE-2024-11954
published 2025-01-28CVE-2024-11954: A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search…
PriorityP427medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EXPLOIT
EPSS
1.04%
59.7th percentile
A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pimcore | pimcore | — | — |
| pimcore | pimcore | >= 11.4.2 < 11.5.3 | 11.5.3 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.03.3LOWAV:N/AC:L/Au:M/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
ghsa·2025-01-28
CVE-2024-11954 [HIGH] CWE-79 Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.
### Details
The vulnerability is present in the PDF upload functionality of the PIM Core Upload module. When a user uploads a PDF file, the application fails to properly sanitize the content, allowing embedded scripts to be executed when the PDF is viewed. The affected code is located in the file handling and rendering
OSV
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
osv·2025-01-28
CVE-2024-11954 [HIGH] Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
### Summary
A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.
### Details
The vulnerability is present in the PDF upload functionality of the PIM Core Upload module. When a user uploads a PDF file, the application fails to properly sanitize the content, allowing embedded scripts to be executed when the PDF is viewed. The affected code is located in the file handling and rendering
No detection rules found.
No writeups or analysis indexed.
2025-01-28
Published