Security
Headlines

Headlines Latest CVEs

Headline

GHSA-fq95-rx4q-qgg2: Cross-site Scripting (XSS) in Admin Login too many attempts notice

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch manually.

References

https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d/

2 years ago

#xss #web #git #java

Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

Patches

Update to version 10.5.21 or apply this patch manually https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch

Workarounds

Apply patch https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch manually.

References

https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d/

References

GHSA-fq95-rx4q-qgg2
https://nvd.nist.gov/vuln/detail/CVE-2023-2341
pimcore/pimcore@66f1089
https://huntr.dev/bounties/cf3901ac-a649-478f-ab08-094ef759c11d

Related news

CVE-2023-2341: fixed xss on login page (#14975) · pimcore/pimcore@66f1089

Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.

2 years ago

#xss #csrf #git #auth

ghsa: Latest News

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions

28 days ago

GHSA-wm8h-26fv-mg7g: phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

28 days ago

GHSA-7p9h-m7m8-vhhv: phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

28 days ago

GHSA-w7rq-fgx4-4xcm: LavaLite CMS affected by a stored cross-site scripting vulnerability

28 days ago

GHSA-mxc8-4jqf-368q: miniserve affected by a TOCTOU and symlink race vulnerability

28 days ago