Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Description
Pimcore Customer Data Framework prior to 3.4.2 contains a stored XSS vulnerability in segment name rendering.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pimcore Customer Data Framework prior to 3.4.2 contains a stored XSS vulnerability in segment name rendering.
Vulnerability
CVE-2023-4145 is a stored cross-site scripting (XSS) vulnerability in the Pimcore Customer Data Framework (CDF) bundle, affecting versions prior to 3.4.2. The core issue resides in the DefaultViewFormatter::formatSegmentValue method, which outputs the customer segment name without proper HTML sanitization. The fix, provided in commit 72f45dd5, applies SecurityHelper::convertHtmlSpecialChars() to escape the segment name before rendering [1][3].
Exploitation
An attacker with privileged access to manage customer segments can inject malicious JavaScript code into a segment name. When the segment name is later displayed in the Pimcore admin interface, the injected script executes in the context of another user's browser session. No additional privileges beyond the ability to create or edit customer segments are required, as the stored name is rendered unsanitized in the admin views [1][4].
Impact
Successful exploitation allows the attacker to perform actions on behalf of an authenticated admin user, including data theft, session hijacking, or modification of customer segmentation data. The XSS can compromise the confidentiality, integrity, and availability of the affected Pimcore instance and its managed customer data [4].
Mitigation
The vulnerability is patched in version 3.4.2 of the CDF bundle. Users should upgrade immediately. However, as noted in the repository, the community (GPL) version of this bundle has been archived and is end-of-life (EOL). The updated and supported version is available only in the Pimcore Enterprise Edition. For LTS support, a valid enterprise subscription is required [2].
- NVD - CVE-2023-4145
- GitHub - pimcore/customer-data-framework: Customer Data Framework community bundle adds capability for management of customer data to Pimcore.
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
- Cross-site Scripting (XSS) - Stored in Segment name
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/customer-management-framework-bundlePackagist | < 3.4.2 | 3.4.2 |
Affected products
2- pimcore/pimcore/customer-data-frameworkv5Range: unspecified
Patches
172f45dd537a7Fix Xss in the segment name (#490)
2 files changed · +3 −2
composer.json+1 −1 modified@@ -24,7 +24,7 @@ "pear/archive_tar": "^1.4.3", "pimcore/number-sequence-generator": "^1.0.5", "pimcore/object-merger": "^3.0", - "pimcore/pimcore": "^10.5", + "pimcore/pimcore": "^10.5.21", "pimcore/search-query-parser": "^1.3", "symfony/asset": "^5.3", "symfony/config": "^5.3",
src/View/Formatter/DefaultViewFormatter.php+2 −1 modified@@ -19,6 +19,7 @@ use CustomerManagementFrameworkBundle\Model\CustomerSegmentInterface; use Pimcore\Model\DataObject\ClassDefinition; use Pimcore\Model\DataObject\ClassDefinition\Data; +use Pimcore\Security\SecurityHelper; use Symfony\Contracts\Translation\TranslatorInterface; class DefaultViewFormatter implements ViewFormatterInterface @@ -176,7 +177,7 @@ public function getLocale() */ protected function formatSegmentValue(CustomerSegmentInterface $segment) { - return sprintf('<span class="label label-default">%s</span>', $segment->getName()); + return sprintf('<span class="label label-default">%s</span>', SecurityHelper::convertHtmlSpecialChars($segment->getName())); } protected function getLanguageFromLocale($locale)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-735f-w79p-282xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-4145ghsaADVISORY
- github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2ghsaWEB
- github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patchghsaWEB
- github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282xghsaWEB
- huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0ghsaWEB
News mentions
0No linked articles in our index yet.