CVE-2023-28850 - OpenCVE

Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pimcore	Perspective Editor

Configuration 1 [-]

cpe:2.3:a:pimcore:perspective_editor:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pimcore/perspective-editor/pull/121.patch
https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986
https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-03T17:09:20.311Z

Updated: 2024-08-02T13:51:38.504Z

Reserved: 2023-03-24T16:25:34.467Z

Link: CVE-2023-28850

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-04-03T18:15:07.873

Modified: 2023-04-12T18:52:35.143

Link: CVE-2023-28850

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28850", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-24T16:25:34.467Z", "datePublished": "2023-04-03T17:09:20.311Z", "dateUpdated": "2024-08-02T13:51:38.504Z"}, "containers": {"cna": {"title": "Pimcore Perspective Editor vulnerable to Cross-site Scripting in perspective name", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986"}, {"name": "https://github.com/pimcore/perspective-editor/pull/121.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/perspective-editor/pull/121.patch"}, {"name": "https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/", "tags": ["x_refsource_MISC"], "url": "https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/"}], "affected": [{"vendor": "pimcore", "product": "perspective-editor", "versions": [{"version": "< 1.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-03T17:09:20.311Z"}, "descriptions": [{"lang": "en", "value": "Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually."}], "source": {"advisory": "GHSA-fq8q-55v3-2986", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:38.504Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986"}, {"name": "https://github.com/pimcore/perspective-editor/pull/121.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/perspective-editor/pull/121.patch"}, {"name": "https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:perspective_editor:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7B02DB3-2320-44C0-A8DA-89655E4C0001", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually."}], "id": "CVE-2023-28850", "lastModified": "2023-04-12T18:52:35.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-04-03T18:15:07.873", "references": [{"source": "security-advisories@github.com", "tags": ["Mailing List", "Patch"], "url": "https://github.com/pimcore/perspective-editor/pull/121.patch"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}