GHSA-2xpm-cmvw-3jcc: 
PHP vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the Application Logger module of pimcore/pimcore versions prior to 10.5.19. The vulnerability was assigned identifier GHSA-2xpm-cmvw-3jcc and CVE-2023-1312, and was published on March 16, 2023. The issue was discovered by security researcher khanhchauminh and received a moderate severity rating with a CVSS score of 4.8 (GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It received a CVSS v3.1 base score of 4.8 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires high privileges, and needs user interaction to exploit. The scope is changed, with low impacts on confidentiality and integrity, but no impact on availability (NVD).

The vulnerability could potentially allow attackers to steal user cookies and gain unauthorized access to user accounts through the stolen cookies. Additionally, it could enable attackers to redirect users to malicious sites (GitHub Advisory).

Users are advised to update to version 10.5.19 or later to address this vulnerability. Alternatively, users can manually apply the patch available at https://github.com/pimcore/pimcore/pull/14606.patch (GitHub Advisory).