GHSA-m988-7375-7g2c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m988-7375-7g2c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-m988-7375-7g2c/GHSA-m988-7375-7g2c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m988-7375-7g2c
- Aliases
- Published
- 2023-09-25T17:34:11Z
- Modified
- 2024-02-16T08:08:44.371741Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations
- Details
-
Impact
The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user.
The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box.
Patches
https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch
Workarounds
Update to version 1.1.2 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch
- Database specific
{ "nvd_published_at": "2023-09-25T19:15:10Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-09-25T17:34:11Z" }- References
Affected packages
Packagist / pimcore/admin-ui-classic-bundle
Package
- Name
- pimcore/admin-ui-classic-bundle
- Purl
- pkg:composer/pimcore/admin-ui-classic-bundle