Brusch

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 10.1.3 **Description** Pimcore is an open source data & experience management platform. In this platform, it is possible to enumerate usernames via the forgot password functionality. **Recommendations** For versions prior to 10.1.3, update to version 10.1.3 or apply the available patch manually as a workaround.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 10.1.2 **Description** The issue concerns the Pimcore open source data & experience management platform. In this platform, text-values were not properly escaped before being printed in the version preview. This allowed cross-site scripting (XSS) attacks by authenticated users who had access to the resources. **Recommendations** For Pimcore versions prior to 10.1.2, update to version 10.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the version preview feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 10.1.2 **Description** Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. **Recommendations** For versions prior to 10.1.2, update to version 10.1.2 to resolve the issue. As a temporary workaround, users may apply the patch manually.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 10.1.1 **Description** The issue concerns a formular injection vulnerability in the Data Object CSV import feature of Pimcore, an open source data & experience management platform. This vulnerability allows for formular injection prior to version 10.1.1. **Recommendations** For versions prior to 10.1.1, upgrade to version 10.1.1 to resolve the issue. As a temporary workaround, apply the patch manually.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 6.8.5 **Description** The issue allows modification and creation of website settings without appropriate permissions. **Recommendations** For versions prior to 6.8.5, update to version 6.8.5 or later to resolve the issue.