Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8xv4-jj4h-qww6

GitHub Security Advisory

Pimcore contains Unrestricted Upload of File with Dangerous Type

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

### Patches
Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

Affected Packages

Packagist pimcore/pimcore
Affected versions: 0 (fixed in 10.5.16)

Related CVEs

CVE-2023-23937

Key Information

GHSA ID
GHSA-8xv4-jj4h-qww6
Published
February 2, 2023 5:00 PM
Last Modified
February 13, 2023 4:56 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
pimcore/pimcore
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.