Home > Vulnerability Database > CVE-2023-23937

Mend.io Vulnerability Database

CVE-2023-23937

Good to know:

Date: February 3, 2023

Pimcore is an Open Source Data & Experience Management Platform: PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce. The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain. This issue has been patched in version 10.5.16.

Language: PHP

Severity Score

5.4

Related Resources (4)

Url: https://github.com/pimcore/pimcore/commit/75a448ef8ac74424cf4e723afeb6d05f9eed872f

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-23937

Url: https://github.com/pimcore/pimcore/security/advisories/GHSA-8xv4-jj4h-qww6

Url: https://www.mend.io/vulnerability-database/CVE-2023-23937

Severity Score

5.4

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version v10.5.16

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-23937

Good to know:

Date: February 3, 2023

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?