Pimcore
CVE-2022-3255
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
AnalysisAI
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user. Affected products include: Pimcore.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
An issue was discovered in Pimcore before 5.7.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita
pimcore is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Rated cri
Blind SQL injection in Pimcore's Admin Search Find API allows authenticated attackers to extract database information th
Pimcore is an Open Source Data & Experience Management Platform. Rated high severity (CVSS 8.8), this vulnerability is r
Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. Rated high severity (CVSS 8.8), th
Privilege Defined With Unsafe Actions in GitHub repository pimcore/pimcore prior to 10.5.23. Rated high severity (CVSS 8
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.21. Rated high severity (CVSS 8.8), this vulnerability
SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.19. Rated high severity (CVSS 8.8), this vulnerability
An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code. Rated high
This affects the package pimcore/pimcore before 10.0.7. Rated high severity (CVSS 8.8), this vulnerability is remotely e
Pimcore before 5.3.0 allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validati
Pimcore is an open source data and experience management platform. Rated high severity (CVSS 8.7), this vulnerability is
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today