← back
CVE-2023-37280

Pimcore admin UI vulnerable to Cross-site Scripting in two factor authentication setup page

CVSS 5 MEDIUMEPSS 0.5%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
11 Jul 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
pimcore · admin-ui-classic-bundle

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/pimcore/admin-ui-classic-bundle/commit/5fcd19bdc89a3fe4cb8ad8c356590e1e4740c743https://github.com/pimcore/admin-ui-classic-bundle/pull/147https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-hqv9-6jqw-9g8m