CVE-2023-42817

Cross-site Scripting (XSS) in pimcore admin-ui-classic-bundle translations

Description

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.00%
Third-Party Advisory github.com
Affected: pimcore admin-ui-classic-bundle
Published at:
Updated at:

References

Link Tags
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-m988-7375-7g2c third party advisory
https://github.com/pimcore/admin-ui-classic-bundle/commit/abd7739298f974319e3cac3fd4fcd7f995b63e4c patch

Frequently Asked Questions

What is the severity of CVE-2023-42817?
CVE-2023-42817 has been scored as a medium severity vulnerability.
How to fix CVE-2023-42817?
To fix CVE-2023-42817, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-42817 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-42817 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-42817?
CVE-2023-42817 affects pimcore admin-ui-classic-bundle.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.