Description
A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.21.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/e436ed71-6741-4b30-89db-f7f3de4aca2c
Scores
CVSS v3
4.8
EPSS
0.0000
EPSS Percentile
0.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
pimcore/pimcore
10.5.19
pimcore/pimcore
0 - 10.5.21Packagist
Published
Nov 15, 2024
Tracked Since
Feb 18, 2026