CVE-2023-42817: 
PHP vulnerability analysis and mitigation

CVE-2023-42817 affects Pimcore admin-ui-classic-bundle, a Backend UI for Pimcore. The vulnerability was discovered in versions prior to 1.1.2 and involves improper handling of translation values containing '%s' strings, which are parsed by sprintf() instead of being output literally to users (GitHub Advisory).

The vulnerability occurs when translation values containing '%s' (from '%suggest') are processed by the sprintf() function instead of being displayed literally. This affects the translation functionality in the dialog box. The issue has been assigned a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability can be exploited by users with lower access privileges, as translation permissions cannot be scoped to specific modules. A skilled attacker could potentially exploit the translation string parsing in the dialog box to perform cross-site scripting attacks, potentially leading to unauthorized access to sensitive information or manipulation of user interface elements (GitHub Advisory).

The vulnerability has been patched in version 1.1.2 of the admin-ui-classic-bundle. Users are advised to upgrade to this version or apply the patch manually through commit abd77392. The fix involves modifying the handling of translation strings to prevent recursive parsing of arguments containing '%' characters (GitHub Advisory, GitHub Patch).