CVE-2024-11954

LOW

pimcore 11.4.2 - Cross-Site Scripting in Search Document

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-11954. PoCs published by maeitsec.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Pimcore's Data Object Classification Store due to insufficient input sanitization. An authenticated attacker can inject malicious JavaScript code, which executes in the context of other users' browsers.

Description

A vulnerability classified as problematic was found in Pimcore 11.4.2. Affected by this vulnerability is an unknown functionality of the component Search Document. The manipulation leads to basic cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Exploits (1)

exploitdb WORKING POC

by maeitsec · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52194

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Pimcore's Data Object Classification Store due to insufficient input sanitization. An authenticated attacker can inject malicious JavaScript code, which executes in the context of other users' browsers.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1)

Auth required

Prerequisites: Access to Pimcore backend · Permissions to edit Classification Store keys

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry

https://vuldb.com/?id.293905

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.293905

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.451774

Exploit, Vendor Advisory exploit

https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg

Scores

CVSS v3 2.4

EPSS 0.0051

EPSS Percentile 67.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-80 CWE-74

Status published

Products (2)

pimcore/pimcore 11.4.2

pimcore/pimcore 11.4.2 - 11.5.3Packagist

Published Jan 28, 2025

Tracked Since Feb 18, 2026