Missing file upload type validation in pimcore/pimcore
CVE-2023-23937

8.2HIGH

Key Information:

Vendor: Pimcore
Status: Pimcore
Vendor: CVE Published:; 3 February 2023

Summary

A vulnerability in the Pimcore Data Management Platform related to the file upload functionality allows authenticated users to bypass content-type validation. By appending a valid signature, such as GIF89, malicious users can submit files with invalid content types. This capability can enable unauthorized uploading of HTML files containing JavaScript, which may execute within the context of the affected domain. Users are recommended to upgrade to version 10.5.16 or later to mitigate this issue.

Affected Version(s)

pimcore < 10.5.16

References

https://github.com/pimcore/pimcore/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pimcore/pimcore/commit/75a448ef8ac7442...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Jan 19, 2023