CVE-2023-2341

Name of the Vulnerable Software and Affected Versions pimcore/pimcore versions prior to 10.5.21

Description The issue allows malicious JavaScript to access all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. This could enable an attacker to impersonate a user if they can obtain the user's session cookie. Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user, opening up possibilities for an attacker, especially when combined with social engineering.

Recommendations Update to version 10.5.21 or apply the patch manually from https://github.com/pimcore/pimcore/commit/66f1089fb1b9bcd575bfce9b1d4abb0f0499df11.patch to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation until the patch is applied.