CVE-2023-0323

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions prior to 10.5.14

Description The issue is related to Cross-site Scripting (XSS) - Stored, which can result in stolen user cookies. A proof of concept involves logging in with a dev account, navigating to specific settings, and adding a payload to a title field, triggering the XSS when opening events in the data objects module.

Recommendations For versions prior to 10.5.14, update to version 10.5.14 to resolve the issue. As a temporary workaround, consider applying the patch from https://github.com/pimcore/pimcore/pull/13916.patch manually to mitigate the risk.