SB2023042720 - Multiple vulnerabilities in Pimcore
Published: April 27, 2023 Updated: May 11, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 21 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2023-2323)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Ecommerce Pricing Rules name field. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2023-2327)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Class date fields. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2023-2328)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObjects QuantityValue Unit Definition. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2023-2332)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Conditions tab of Pricing Rules. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2023-2322)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Document Properties Parameter. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) SQL injection (CVE-ID: CVE-2023-2338)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in AssetController. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
7) Path traversal (CVE-ID: CVE-2023-2336)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Asset "import from server" option. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
8) SQL injection (CVE-ID: CVE-2023-30850)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
9) Stored cross-site scripting (CVE-ID: CVE-2023-2340)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject columns grid. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
10) Stored cross-site scripting (CVE-ID: CVE-2023-2339)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Any Getter grid operator. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
11) SQL injection (CVE-ID: CVE-2023-30848)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Search Find API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) Cross-site scripting (CVE-ID: CVE-2023-2342)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Website Settings name field. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
13) Cross-site scripting (CVE-ID: CVE-2023-2343)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in DataObject Classification Store. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
14) Path traversal (CVE-ID: CVE-2023-30852)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in Admin JS CSS files within the "scriptPath" parameter. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
15) Stored cross-site scripting (CVE-ID: CVE-2023-2361)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
16) SQL injection (CVE-ID: CVE-2023-30849)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations Export API. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
17) Cross-site scripting (CVE-ID: CVE-2023-2341)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Login too many attempts notice. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
18) Stored cross-site scripting (CVE-ID: CVE-2023-2615)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Predefined Properties delete. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
19) Stored cross-site scripting (CVE-ID: CVE-2023-2616)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Static Routes name field. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
20) Cross-site scripting (CVE-ID: CVE-2023-2630)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in Admin Translations. A remote user can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
21) Stored cross-site scripting (CVE-ID: CVE-2023-2614)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in name field of Custom Reports. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.
References
- https://github.com/pimcore/pimcore/security/advisories/GHSA-cjv6-w5hf-5wr6
- https://github.com/pimcore/pimcore/security/advisories/GHSA-x9xj-pqmv-8jf7
- https://github.com/pimcore/pimcore/security/advisories/GHSA-2295-vh28-pphc
- https://github.com/pimcore/pimcore/security/advisories/GHSA-r7mm-jx6h-hv7m
- https://github.com/pimcore/pimcore/security/advisories/GHSA-476g-v7hf-cw5m
- https://github.com/pimcore/pimcore/security/advisories/GHSA-4x35-vr82-xvj6
- https://github.com/pimcore/pimcore/security/advisories/GHSA-hg77-vx9v-f49x
- https://github.com/pimcore/pimcore/pull/14952
- https://github.com/pimcore/pimcore/security/advisories/GHSA-jwg4-qcgv-5wg6
- https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch
- https://github.com/pimcore/pimcore/commit/aa38319e353cc3cdfac12e03e21ed7a8f3628d3e
- https://huntr.dev/bounties/964762b0-b4fe-441c-81e1-0ebdbbf80f3b
- https://huntr.dev/bounties/bb1537a5-fe7b-4c77-a582-10a82435fbc2
- https://github.com/pimcore/pimcore/commit/6946f8a5a0a93b516c49f17a5b45044eebd73480
- https://github.com/pimcore/pimcore/pull/14972
- https://github.com/pimcore/pimcore/security/advisories/GHSA-6mhm-gcpf-5gr8
- https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3.patch
- https://huntr.dev/bounties/01cd3ed5-dce8-4021-9de0-81cb14bf1829
- https://github.com/pimcore/pimcore/commit/42a5bbe5f16b97371fdbfdcf2bb3ee759dea8564
- https://github.com/pimcore/pimcore/commit/f1d904094700b513c4756904fa2b1e19d08d890e
- https://huntr.dev/bounties/2fa17227-a717-4b66-ab5a-16bffbb4edb2
- https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch
- https://github.com/pimcore/pimcore/pull/14959
- https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596
- https://github.com/pimcore/pimcore/security/advisories/GHSA-9xg6-75mh-7x3f
- https://github.com/pimcore/pimcore/pull/14968
- https://github.com/pimcore/pimcore/commit/c6c80905e58c7724c776f980570a56df7016c6d1.patch
- https://github.com/pimcore/pimcore/security/advisories/GHSA-xmg8-w465-mr56
- https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11
- https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d
- https://huntr.dev/bounties/af9c360a-87f8-4e97-a24b-6db675ee942a
- https://github.com/pimcore/pimcore/commit/7a799399e6843cd049e85da27ceb75b78505317f
- https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091
- https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801
- https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38
- https://huntr.dev/bounties/e1001870-b8d8-4921-8b9c-bbdfb1a1491e
- https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7
- https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6