Vulnerability Description
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pimcore | Admin Classic Bundle | < 1.1.2 |
Related Weaknesses (CWE)
References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cacPatch
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-m988Third Party Advisory
- https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cacPatch
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-m988Third Party Advisory
FAQ
What is CVE-2023-42817?
CVE-2023-42817 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output litera...
How severe is CVE-2023-42817?
CVE-2023-42817 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-42817?
Check the references section above for vendor advisories and patch information. Affected products include: Pimcore Admin Classic Bundle.