CVE-2023-2332

Name of the Vulnerable Software and Affected Versions pimcore/pimcore version 10.5.19

Description A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules, specifically in the From and To fields of the Date Range section. This allows an attacker to inject malicious scripts, potentially leading to the execution of arbitrary JavaScript code in the context of the user's browser. The issue can result in stealing cookies or redirecting users to malicious sites.

Recommendations Update to version 10.5.21 to resolve the issue. As a temporary workaround, consider applying the patch manually from https://github.com/pimcore/pimcore/commit/a4491551967d879141a3fdf0986a9dd3d891abfe.patch to mitigate the risk.