CVE-2023-4145
MEDIUM6.5EPSS 0.01%pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
Description
### Impact As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers. ### Patches Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch ### Workarounds Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually. ### References https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
Affected packages (1)
- Packagist/pimcore/customer-management-framework-bundlefrom 0, < 3.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-4145
- PATCHhttps://github.com/pimcore/customer-data-framework
- WEBhttps://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2
- WEBhttps://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
- WEBhttps://github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282x
- WEBhttps://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0