Pimcore Perspective Editor vulnerable to Cross-site Scripting in perspective name
Description
Pimcore Perspective Editor provides an editor for Pimcore that allows users to add/remove/edit custom views and perspectives. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Version 1.5.1 has a patch. As a workaround, one may apply the patch manually.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/perspective-editorPackagist | < 1.5.1 | 1.5.1 |
Affected products
2- pimcore/perspective-editorv5Range: < 1.5.1
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and output encoding of perspective/view names allows stored cross-site scripting (XSS)."
Attack vector
An attacker with the ability to create or rename perspectives/views (typically an admin user) can inject malicious JavaScript into the name field. When the name is later rendered in the Pimcore admin interface without proper sanitization, the injected script executes in the context of another administrator's session. This can lead to cookie theft (session hijacking) or redirection to attacker-controlled sites. The attack requires the victim to view the crafted perspective or view name in the admin UI [patch_id=1640890].
Affected code
The vulnerability exists in the JavaScript files `src/Resources/public/js/pimcore/perspective/perspective.js` and `src/Resources/public/js/pimcore/perspective/view.js`, where user-supplied names for perspectives and views are not sanitized before being stored. Additionally, the server-side PHP files `src/Services/ViewAccessor.php` and `src/Services/PerspectiveAccessor.php` lacked output encoding when persisting these names to configuration, allowing stored XSS to propagate.
What the fix does
The patch adds a `sanitizeName()` method to both `perspective.js` and `view.js` that strips any characters outside `[a-z0-9_\-\.+]` from user input before it is used. On the server side, `htmlspecialchars()` is applied to the name in `PerspectiveAccessor.php` and `ViewAccessor.php` when converting the tree store to configuration. This two-layer defense ensures that even if client-side sanitization is bypassed, stored names are safely HTML-encoded before being rendered, preventing XSS [patch_id=1640890].
Preconditions
- authThe attacker must have the ability to create or rename perspectives/views in the Pimcore admin interface (typically an admin/editor role).
- inputA victim administrator must view the crafted perspective or view name in the admin UI (e.g., in the perspective tree or view editor).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fq8q-55v3-2986ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28850ghsaADVISORY
- github.com/pimcore/perspective-editor/pull/121.patchghsax_refsource_MISCWEB
- github.com/pimcore/perspective-editor/security/advisories/GHSA-fq8q-55v3-2986ghsax_refsource_CONFIRMWEB
- huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06ghsaWEB
- huntr.dev/bounties/5529f51e-e40f-46f1-887b-c9dbebab4f06/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.