Vulnerability DatabaseCVE-2023-2332
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-2332
Published:November 15, 2024
Updated:May 15, 2026
A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of arbitrary JavaScript code in the context of the user's browser, potentially stealing cookies or redirecting users to malicious sites. The issue is fixed in version 10.5.21.
Related Resources (5)
https://github.com/pimcore/pimcore/security/advisories/GHSA-r7mm-jx6h-hv7m
https://github.com/pimcore/pimcore
https://nvd.nist.gov/vuln/detail/CVE-2023-2332
https://huntr.com/bounties/e436ed71-6741-4b30-89db-f7f3de4aca2c
https://github.com/pimcore/pimcore/commit/a4491551967d879141a3fdf0986a9dd3d891abfe
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.4
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79