Описание
pimcore/customer-management-framework-bundle Cross-site Scripting vulnerability in Segment name
Impact
As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.
Patches
Update to version 3.4.2 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch manually.
References
https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0/
Ссылки
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-735f-w79p-282x
- https://nvd.nist.gov/vuln/detail/CVE-2023-4145
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2
- https://github.com/pimcore/customer-data-framework/commit/72f45dd537a706954e7a71c99fbe318640e846a2.patch
- https://huntr.dev/bounties/ce852777-2994-40b4-bb4e-c4d10023eeb0
Пакеты
pimcore/customer-management-framework-bundle
< 3.4.2
3.4.2
Связанные уязвимости
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2.