CVE-2021-39166

Опубликовано: 01 сент. 2021

Источник: nvd

CVSS3: 8

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

Pimcore is an open source data & experience management platform. Prior to version 10.1.2, text-values were not properly escaped before printed in the version preview. This allowed XSS by authenticated users with access to the resources. This issue is patched in Pimcore version 10.1.2.

Ссылки

https://github.com/pimcore/pimcore/pull/10170
Patch
Third Party Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-w6j8-jc36-x5q9
Patch
Third Party Advisory
https://github.com/pimcore/pimcore/pull/10170
Patch
Third Party Advisory
https://github.com/pimcore/pimcore/security/advisories/GHSA-w6j8-jc36-x5q9
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Версия до 10.1.2 (исключая)

EPSS

Процентиль: 2%

0.00015

Низкий

8 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-w6j8-jc36-x5q9

CVSS3: 8

github

больше 4 лет назад

Improper Neutralization of Text-Values in Object Version Preview

EPSS

Процентиль: 2%

0.00015

Низкий

8 High

CVSS3

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79