Skip to content

Missing file upload type validation in user profile

High
dvesh3 published GHSA-8xv4-jj4h-qww6 Feb 1, 2023

Package

composer pimcore/pimcore (Composer)

Affected versions

< 10.5.16

Patched versions

10.5.16

Description

Impact

The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

Patches

Update to version 10.5.16 or apply this patch manually https://github.com/pimcore/pimcore/pull/14125.patch

Workarounds

Apply https://github.com/pimcore/pimcore/pull/14125.patch manually.

References

https://huntr.dev/bounties/aa7ee076-d729-4fcc-9bcc-48bcbb8eac38/

Severity

High

CVE ID

CVE-2023-23937

Weaknesses