GHSA-735f-w79p-282x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-735f-w79p-282x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-735f-w79p-282x/GHSA-735f-w79p-282x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-735f-w79p-282x
- Aliases
- Published
- 2023-08-03T16:32:49Z
- Modified
- 2024-02-16T08:02:25.828855Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
- Details
-
Impact
As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.
Patches
Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.
References
https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
- Database specific
{ "nvd_published_at": "2023-08-03T17:15:12Z", "cwe_ids": [ "CWE-79", "CWE-87" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-08-03T16:32:49Z" }- References
-
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282x
- https://nvd.nist.gov/vuln/detail/CVE-2023-4145
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
- https://github.com/pimcore/customer-data-framework
- https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0
Affected packages
Packagist / pimcore/customer-management-framework-bundle
Package
- Name
- pimcore/customer-management-framework-bundle
- Purl
- pkg:composer/pimcore/customer-management-framework-bundle
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.4.2
Affected versions
1.*
1.0.0
1.0.1
1.3.17
v1.*
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.18
v1.3.19
v1.3.20
v1.3.21
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.4.10
v1.4.11
v1.4.12
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.9.0
v1.9.1
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v2.*
v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
2.*
2.4.5
2.5.1
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9
v3.3.10
v3.4.0
v3.4.1