Login Sign Up

CVE-2023-23937

8.2 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated users to bypass file upload validation in Pimcore by adding a fake GIF signature to malicious files. Attackers can upload HTML files containing JavaScript that executes in the domain context, potentially leading to cross-site scripting attacks. All Pimcore installations with user upload functionality are affected.

💻 Affected Systems

Products:
  • Pimcore
Versions: All versions before 10.5.16
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to profile upload functionality.

📦 What is this software?

Pimcore by Pimcore

View all CVEs affecting Pimcore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authenticated attacker uploads malicious HTML/JS files that execute in domain context, leading to session hijacking, account takeover, or malware distribution to other users.

🟠

Likely Case

Authenticated user uploads malicious scripts that execute when viewed by other users, enabling cross-site scripting attacks and potential data theft.

🟢

If Mitigated

With proper input validation and content-type checking, malicious uploads are blocked, limiting impact to failed upload attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is technically simple once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.16

Vendor Advisory: https://github.com/pimcore/pimcore/security/advisories/GHSA-8xv4-jj4h-qww6

Restart Required: No

Instructions:

1. Update Pimcore to version 10.5.16 or later. 2. Apply the patch from the GitHub commit. 3. Verify the fix by testing file upload functionality.

🔧 Temporary Workarounds

Disable user profile uploads

all

Temporarily disable the vulnerable upload functionality until patching is complete.

Modify Pimcore configuration to disable user profile file uploads

Implement WAF rules

all

Add web application firewall rules to block suspicious file uploads with mismatched content types.

Configure WAF to inspect Content-Type headers and file signatures

🧯 If You Can't Patch

  • Implement strict file upload validation at the application layer
  • Restrict user upload permissions to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check if Pimcore version is below 10.5.16 and test if file upload accepts files with mismatched content-type and file signatures.

Check Version:

Check Pimcore version in admin panel or via composer show pimcore/pimcore

Verify Fix Applied:

After updating to 10.5.16+, test that file uploads with mismatched content-type and signatures are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed upload attempts with different content types
  • Uploads of files with .html extension via profile update

Network Indicators:

  • HTTP POST requests to upload endpoints with mismatched Content-Type headers

SIEM Query:

source="pimcore" AND (event="file_upload" AND (file_extension=".html" OR content_type!="image/gif"))

📊 Metadata

CVE ID: CVE-2023-23937
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
CWE: CWE-434
Published: February 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23937, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)