High severityNVD Advisory· Published Sep 1, 2021· Updated Aug 4, 2024
Improper Encoding or Escaping of Output in Asset Metadata Component
CVE-2021-39170
Description
Pimcore is an open source data & experience management platform. Prior to version 10.1.2, an authenticated user could add XSS code as a value of custom metadata on assets. There is a patch for this issue in Pimcore version 10.1.2. As a workaround, users may apply the patch manually.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | < 10.1.2 | 10.1.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-2v88-qq7x-xq5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-39170ghsaADVISORY
- github.com/pimcore/pimcore/pull/10178ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/pull/10178.patchghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/pull/10206ghsaWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5fghsax_refsource_CONFIRMWEB
- huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501ghsaWEB
- huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2ghsaWEB
- huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.