Vulnerability Details CVE: CVE-2022-0565 Vulnerability Type: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: High (7.6) - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Confidentiality: Low - Integrity: Low - Availability: High Affected Version: Not specified in the screenshot Status: Fixed Disclosure Bounty: $40 Fix Bounty: $10 Found by: ranjit-git (@ranjit-git) Fixed by: JiaJia Ji (@kingjia90) Description XSS Proof of Concept Previous bug was not properly fixed and can be bypassed using an event handler. The only check was for tags, which can be bypassed using onload event handlers. Timeline Report submitted on Jan 20th, 2022 Validation and communication with the pimcore team Vulnerability validated by JiaJia Ji Bounty awarded to ranjit-git for disclosure Bounty for fix is up for grabs Marked as fixed in pimcore version 10.3.1 with commit 7697f7 Additional Notes Visibility: Public The vulnerability was fixed by JiaJia Ji.