Missing file upload type validation in pimcore/pimcore
CVE-2023-23937

8.2HIGH

Key Information:

Vendor
Pimcore
Status
Vendor
CVE Published:
3 February 2023

Summary

A vulnerability in the Pimcore Data Management Platform related to the file upload functionality allows authenticated users to bypass content-type validation. By appending a valid signature, such as GIF89, malicious users can submit files with invalid content types. This capability can enable unauthorized uploading of HTML files containing JavaScript, which may execute within the context of the affected domain. Users are recommended to upgrade to version 10.5.16 or later to mitigate this issue.

Affected Version(s)

pimcore < 10.5.16

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.