N. Rai-Ngoen

**Name of the Vulnerable Software and Affected Versions** Pimcore (affected versions not specified) **Description** The issue allows for XSS attacks through various functions, including Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 5.3.0 **Description** The issue allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging validation of the `X-pimcore-csrf-token` anti-CSRF token only in the "Settings > Users / Roles" function. This means that other areas of the application may not properly validate this token, making them susceptible to CSRF attacks. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider implementing additional CSRF protection measures, such as validating the `X-pimcore-csrf-token` token in all functions, not just the "Settings > Users / Roles" function. Restrict access to sensitive functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pimcore versions prior to 5.3.0 **Description** The issue allows SQL Injection via the REST web service API. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue.