CVE-2023-28429: 
PHP vulnerability analysis and mitigation

CVE-2023-28429 affects Pimcore, an open source data and experience management platform, specifically versions prior to 10.5.19. The vulnerability was discovered in March 2023 and involves an unsecured tooltip field in DataObject class definition (NVD, GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 Base Score of 6.1 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C) with low impacts on both confidentiality and integrity (C:L, I:L) and no impact on availability (A:N) (NVD).

If exploited, this vulnerability could allow attackers to steal user cookies and gain unauthorized access to user accounts through the stolen cookies. Additionally, attackers could potentially redirect users to malicious sites (GitHub Advisory).

Users are advised to upgrade to Pimcore version 10.5.19 or later. As a workaround, users can manually apply the patch available in the pull request. The fix involves improving tooltip handling by implementing proper HTML encoding of the tooltip content (GitHub PR, GitHub Advisory).