CVE-2023-30852 - Vulnerability Details - OpenCVE

Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the "scriptPath" parameter and the file name in the "scripts" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Pimcore	Pimcore

Configuration 1 [-]

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch
https://github.com/pimcore/pimcore/pull/14959
https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596

History

Thu, 30 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-04-27T16:44:28.113Z

Updated: 2025-01-30T19:35:04.361Z

Reserved: 2023-04-18T16:13:15.881Z

Link: CVE-2023-30852

Vulnrichment

Updated: 2024-08-02T14:37:15.497Z

NVD

Status : Modified

Published: 2023-04-27T17:15:08.957

Modified: 2024-11-21T08:00:58.463

Link: CVE-2023-30852

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30852", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.881Z", "datePublished": "2023-04-27T16:44:28.113Z", "dateUpdated": "2025-01-30T19:35:04.361Z"}, "containers": {"cna": {"title": "Pimcore Arbitrary File Read in Admin JS CSS files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}, {"name": "https://github.com/pimcore/pimcore/pull/14959", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"name": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}], "affected": [{"vendor": "pimcore", "product": "pimcore", "versions": [{"version": "< 10.5.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-27T16:44:28.113Z"}, "descriptions": [{"lang": "en", "value": "Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the \"scriptPath\" parameter and the file name in the \"scripts\" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual."}], "source": {"advisory": "GHSA-j5c3-r84f-9596", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.497Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}, {"name": "https://github.com/pimcore/pimcore/pull/14959", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"name": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-30T19:34:59.730210Z", "id": "CVE-2023-30852", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T19:35:04.361Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-30852", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-04-18T16:13:15.881Z", "datePublished": "2023-04-27T16:44:28.113Z", "dateUpdated": "2025-01-30T19:35:04.361Z"}, "containers": {"cna": {"title": "Pimcore Arbitrary File Read in Admin JS CSS files", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}, {"name": "https://github.com/pimcore/pimcore/pull/14959", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"name": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}], "affected": [{"vendor": "pimcore", "product": "pimcore", "versions": [{"version": "< 10.5.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-04-27T16:44:28.113Z"}, "descriptions": [{"lang": "en", "value": "Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the \"scriptPath\" parameter and the file name in the \"scripts\" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual."}], "source": {"advisory": "GHSA-j5c3-r84f-9596", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T14:37:15.497Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}, {"name": "https://github.com/pimcore/pimcore/pull/14959", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"name": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-30852", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T19:34:59.730210Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T19:34:31.413Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*", "matchCriteriaId": "72C537D6-67BA-4562-B853-F99E6C14315C", "versionEndExcluding": "10.5.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Pimcore is an open source data and experience management platform. Prior to version 10.5.21, the `/admin/misc/script-proxy` API endpoint that is accessible by an authenticated administrator user is vulnerable to arbitrary JavaScript and CSS file read via the `scriptPath` and `scripts` parameters. The `scriptPath` parameter is not sanitized properly and is vulnerable to path traversal attack. Any JavaScript/CSS file from the application server can be read by specifying sufficient number of `../` patterns to go out from the application webroot followed by path of the folder where the file is located in the \"scriptPath\" parameter and the file name in the \"scripts\" parameter. The JavaScript file is successfully read only if the web application has read access to it. Users should update to version 10.5.21 to receive a patch or, as a workaround, apply the patch manual."}], "id": "CVE-2023-30852", "lastModified": "2024-11-21T08:00:58.463", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-27T17:15:08.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/pimcore/pimcore/commit/498cadec2292f7842fb10612068ac78496e884b4.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/pimcore/pimcore/pull/14959"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-j5c3-r84f-9596"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}