=====================================================================

                               CERT-Renater

                    Note d'Information No. 2023/VULN053

_____________________________________________________________________

DATE                : 03/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Pimcore versions prior to 10.5.16.

=====================================================================
https://github.com/pimcore/pimcore/security/advisories/GHSA-8xv4-jj4h-qww6
_____________________________________________________________________


Missing file upload type validation in user profile
High
dvesh3 published GHSA-8xv4-jj4h-qww6 Feb 1, 2023

Package
pimcore/pimcore (Composer)

Affected versions
< 10.5.16

Patched versions
10.5.16


Description
Impact

The upload functionality for updating user profile does
not properly validate the file content-type, allowing any
authenticated user to bypass this security check by adding
a valid signature (p.e. GIF89) and sending any invalid
content-type. This could allow an authenticated attacker to
upload HTML files with JS content that will be executed in
the context of the domain.
Patches

Update to version 10.5.16 or apply this patch manually
https://github.com/pimcore/pimcore/pull/14125.patch


Workarounds

Apply https://github.com/pimcore/pimcore/pull/14125.patch manually.


References

https://huntr.dev/bounties/aa7ee076-d729-4fcc-9bcc-48bcbb8eac38/


Severity
High

CVE ID
CVE-2023-23937

Weaknesses
CWE-434


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================