Moderate severityNVD Advisory· Published Mar 16, 2023· Updated Feb 25, 2025
Pimcore vulnerable to Cross-site Scripting in UrlSlug Data type
CVE-2023-28106
Description
Pimcore is an open source data and experience management platform. Prior to version 10.5.19, an attacker can use cross-site scripting to send a malicious script to an unsuspecting user. Users may upgrade to version 10.5.19 to receive a patch or, as a workaround, apply the patch manually.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/pimcorePackagist | < 10.5.19 | 10.5.19 |
Affected products
1Patches
230e54fac0c9cApply php-cs-fixer changes
1 file changed · +0 −1
models/Tool/UUID/Dao.php+0 −1 modified@@ -112,7 +112,6 @@ public function exists($uuid) ->where('uuid = :uuid') ->setParameter('uuid', $uuid, Types::STRING); - $result = $queryBuilder ->execute() ->fetchOne();
c59d0bf1d03aoptimized urlslug input (#14669)
3 files changed · +14 −1
bundles/AdminBundle/Controller/Admin/Document/DocumentControllerBase.php+5 −0 modified@@ -162,6 +162,11 @@ protected function addSettingsToDocument(Request $request, Model\Document $docum if ($request->get('settings')) { if ($document->isAllowed('settings')) { $settings = $this->decodeJson($request->get('settings')); + + if(array_key_exists('prettyUrl' , $settings)){ + $settings['prettyUrl'] = htmlspecialchars($settings['prettyUrl']); + } + $document->setValues($settings); } }
bundles/AdminBundle/Resources/public/js/pimcore/document/pages/settings.js+5 −1 modified@@ -224,7 +224,7 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac method: "POST", params: { id: this.document.id, - path: el.getValue() + path: pimcore.helpers.sanitizeUrlSlug(el.getValue()) }, success: function (res) { res = Ext.decode(res.responseText); @@ -238,6 +238,10 @@ pimcore.document.pages.settings = Class.create(pimcore.document.settings_abstrac } } }); + }.bind(this), + "change": function (el) { + const sanitizedValue = pimcore.helpers.sanitizeUrlSlug(el.getValue()); + el.setValue(sanitizedValue); }.bind(this) } }
bundles/AdminBundle/Resources/public/js/pimcore/helpers.js+4 −0 modified@@ -18,6 +18,10 @@ pimcore.helpers.sanitizeEmail = function (email) { return email.replace(/[^a-zA-Z0-9_\-@.+]/g,''); }; +pimcore.helpers.sanitizeUrlSlug = function (slug) { + return slug.replace(/[^a-z0-9-_+/]/gi, ''); +}; + pimcore.helpers.registerKeyBindings = function (bindEl, ExtJS) { if (!ExtJS) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-x5j3-mq9g-8jc8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28106ghsaADVISORY
- github.com/pimcore/pimcore/commit/c59d0bf1d03a5037b586fe06230694fa3818dbf2ghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/pull/14669.patchghsax_refsource_MISCWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-x5j3-mq9g-8jc8ghsax_refsource_CONFIRMWEB
- huntr.dev/bounties/fa77d780-9b23-404b-8c44-12108881d11aghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.