Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-09-25T18:57:33.735Z
Updated: 2024-08-02T19:30:24.922Z
Reserved: 2023-09-14T16:13:33.309Z
Link: CVE-2023-42817
Vulnrichment
No data.
NVD
Status : Analyzed
Published: 2023-09-25T19:15:10.493
Modified: 2023-09-26T15:57:45.363
Link: CVE-2023-42817
Redhat
No data.