Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
CVE-2023-42817: Pimcore Backend UI Translation Parsing Allows Elevated Access
GHSA-m988-7375-7g2c
CVE-2023-42817
Summary
A flaw in Pimcore's Backend UI allows users with limited access to potentially exploit a security weakness. This can be fixed by updating to version 1.1.2 or applying a patch manually. It's recommended to update to the latest version to ensure security.
What to do
- Update pimcore admin-ui-classic-bundle to version 1.1.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | pimcore | admin-ui-classic-bundle |
< 1.1.2 Fix: upgrade to 1.1.2
|
| – | pimcore | admin_classic_bundle |
< 1.1.2 cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:* |
Original title
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output lit...
Original description
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain “modules”) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Sep 2023 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026