CVE-2023-42817 – pimcore/admin-ui-classic-bundle

Package

Manager: composer
Name: pimcore/admin-ui-classic-bundle
Vulnerable Version: >=0 <1.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 4e-05 pctl0.00183

Details

pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations ### Impact The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch ### Workarounds Update to version 1.1.2 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch

Metadata

Created: 2023-09-25T17:34:11Z
Modified: 2023-09-26T13:57:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-m988-7375-7g2c/GHSA-m988-7375-7g2c.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-m988-7375-7g2c
Finding: F008
Auto approve: 1