Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-6vf6-g3pr-j83h

GitHub Security Advisory

pimcore is vulnerable to cross-site scripting via "title field " in data objects

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
The vulnerability is capable of resulting in stolen user cookies.

#### Proof of Concept
```
Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=

Go to setting --> data objects --> classes --> events

Click media under genaral settings

Add payload in title field.

Go to data objects module and open events, xss will trigger

// PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">
```
### Patches
Update to version 10.5.14 or apply this patch manually https://github.com/pimcore/pimcore/pull/13916.patch

### Workarounds
Apply https://github.com/pimcore/pimcore/pull/13916.patch manually.

### References
https://huntr.dev/bounties/129d6a4b-0504-4de1-a72c-3f12c4552343/

Affected Packages

Packagist pimcore/pimcore
Affected versions: 0 (fixed in 10.5.14)

Related CVEs

CVE-2023-0323

Key Information

GHSA ID
GHSA-6vf6-g3pr-j83h
Published
January 20, 2023 4:55 PM
Last Modified
January 24, 2023 6:56 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
pimcore/pimcore
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.