CVE-2021-39166: 
PHP vulnerability analysis and mitigation

Pimcore, an open source data & experience management platform, disclosed a vulnerability (CVE-2021-39166) where text values were not properly escaped before being printed in the version preview. This vulnerability was discovered prior to version 10.1.2 and allowed cross-site scripting (XSS) attacks by authenticated users with access to the resources (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue. The CVSS v3.1 scores vary between sources, with the NVD rating it as 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) while GitHub rates it as 8.0 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). The vulnerability stems from improper neutralization of text values in the object version preview functionality (NVD).

The vulnerability allows authenticated users with access to resources to perform cross-site scripting attacks. This could potentially lead to the execution of arbitrary web scripts or HTML in the context of other users' browsers who view the affected version preview (GitHub Advisory).

The vulnerability has been patched in Pimcore version 10.1.2. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory, GitHub PR).