CVE-2023-4145 – pimcore/customer-management-framework-bundle

Package

Manager: composer
Name: pimcore/customer-management-framework-bundle
Vulnerable Version: >=0 <3.4.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 5e-05 pctl0.00232

Details

pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name ### Impact As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers. ### Patches Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch ### Workarounds Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually. ### References https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/

Metadata

Created: 2023-08-03T16:32:49Z
Modified: 2023-08-03T19:40:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-735f-w79p-282x/GHSA-735f-w79p-282x.json
CWE IDs: ["CWE-79", "CWE-87"]
Alternative ID: GHSA-735f-w79p-282x
Finding: F425
Auto approve: 1