CVE-2023-42817
MEDIUM5.4EPSS 0.00%pimcore/admin-ui-classic-bundle Cross-site Scripting vulnerability in Translations
Description
### Impact The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch ### Workarounds Update to version 1.1.2 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c.patch
Affected packages (1)
- Packagist/pimcore/admin-ui-classic-bundlefrom 0, < 1.1.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
References (4)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-42817
- PATCHhttps://github.com/pimcore/admin-ui-classic-bundle
- WEBhttps://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c
- WEBhttps://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-m988-7375-7g2c