CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4453 – Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-4453
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.8. • https://github.com/pimcore/pimcore/commit/234c0c02ea7502071b00ab673fbe4a6ac253080e https://huntr.dev/bounties/245a8785-0fc0-4561-b181-fa20f869d993 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38708 – Pimcore Path Traversal Vulnerability in AssetController:importServerFilesAction
https://notcve.org/view.php?id=CVE-2023-38708
Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. A path traversal vulnerability exists in the `AssetController::importServerFilesAction`, which allows an attacker to overwrite or modify sensitive files by manipulating the pimcore_log parameter.This can lead to potential denial of service---key file overwrite. The impact of this vulnerability allows attackers to: overwrite or modify sensitive files, potentially leading to unauthorized access, privilege escalation, or disclosure of confidential information. This could also cause a denial of service (DoS) if critical system files are overwritten or deleted. • https://github.com/pimcore/pimcore/commit/58012d0e3b8b926fb54eccbd64ec5c993b30c22c https://github.com/pimcore/pimcore/security/advisories/GHSA-34hj-v8fm-x887 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3822 – Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3822
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/d75888a9b14baaad591548463cca09dfd1395236 https://huntr.dev/bounties/2a3a13fe-2a9a-4d1a-8814-fd8ed1e3b1d5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3821 – Cross-site Scripting (XSS) - Stored in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3821
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/92811f07d39e4ad95c92003868f5f7309489d79c https://huntr.dev/bounties/599ba4f6-c900-4161-9127-f1e6a6e29aaa • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3820 – SQL Injection in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-3820
SQL Injection in GitHub repository pimcore/pimcore prior to 10.6.4. • https://github.com/pimcore/pimcore/commit/e641968979d4a2377bbea5e2a76bdede040d0b97 https://huntr.dev/bounties/b00a38b6-d040-494d-bf46-38f46ac1a1db • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •