CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46722 – Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews
https://notcve.org/view.php?id=CVE-2023-46722
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually. El paquete Pimcore Admin Classic proporciona una interfaz de usuario de backend para Pimcore. Antes de la versión 1.2.0, una vulnerabilidad de cross-site scripting tenía el potencial de robar la cookie de un usuario y obtener acceso no autorizado a la cuenta de ese usuario a través de la cookie robada o redirigir a los usuarios a otros sitios maliciosos. • https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9 https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-jfxw-6c5v-c42f https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5873 – Cross-site Scripting (XSS) - Stored in pimcore/pimcore
https://notcve.org/view.php?id=CVE-2023-5873
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0. Cross-site Scripting (XSS): almacenado en el repositorio de GitHub pimcore/pimcore anterior a 11.1.0. • https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c https://huntr.com/bounties/701cfc30-22a1-4c4b-9b2f-885c77c290ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5844 – Unverified Password Change in pimcore/admin-ui-classic-bundle
https://notcve.org/view.php?id=CVE-2023-5844
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0. Cambio de contraseña no verificado en el repositorio de GitHub pimcore/admin-ui-classic-bundle anterior a 1.2.0. • https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021 • CWE-287: Improper Authentication CWE-620: Unverified Password Change •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5192 – Excessive Data Query Operations in a Large Data Table in pimcore/demo
https://notcve.org/view.php?id=CVE-2023-5192
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Operaciones excesivas de consulta de datos en una tabla de datos grande en el repositorio de GitHub pimcore/demo antes de 10.3.0. • https://github.com/pimcore/demo/commit/a2a7ff3b565882aefb759804aac4a51afb458f1f https://huntr.dev/bounties/65c954f2-79c3-4672-8846-a3035e7a1db7 • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-42817 – Cross-site Scripting (XSS) in pimcore admin-ui-classic-bundle translations
https://notcve.org/view.php?id=CVE-2023-42817
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually. • https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-m988-7375-7g2c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •