CVE-2021-4084: 
PHP vulnerability analysis and mitigation

CVE-2021-4084 is a Cross-site Scripting (XSS) vulnerability affecting Pimcore software. The vulnerability was discovered and disclosed in December 2021, allowing attackers to perform improper neutralization of input during web page generation. This vulnerability affects Pimcore versions up to (excluding) 10.2.6 (NVD).

The vulnerability is classified as a Cross-site Scripting (XSS) issue with a CVSS v3.1 Base Score of 6.1 MEDIUM (NIST:NVD) and 7.4 HIGH (huntr.dev). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it is network accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

The vulnerability allows attackers to inject malicious scripts that can execute in the context of other users' browsers, potentially leading to unauthorized access to sensitive information, session hijacking, or defacement of the web interface (NVD).

The vulnerability has been patched in Pimcore version 10.2.6. Users are advised to upgrade to this version or later. The fix involves properly escaping general settings input values in the DataObject Class interface (Github Patch).