An authenticated user could add XSS code as a value of custom metadata on assets.
#10178 #10206
Apply https://github.com/pimcore/pimcore/pull/10178.patch https://github.com/pimcore/pimcore/pull/10206.patch manually.
https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2/ https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501/
Impact
An authenticated user could add XSS code as a value of custom metadata on assets.
Patches
#10178
#10206
Workarounds
Apply
https://github.com/pimcore/pimcore/pull/10178.patch
https://github.com/pimcore/pimcore/pull/10206.patch
manually.
References
https://huntr.dev/bounties/e4cb9cd8-89cf-427c-8d2e-37ca40099bf2/
https://huntr.dev/bounties/c3e4cf79-a4b5-4982-af27-729f66281501/