CVE-2024-11954: Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document

January 28, 2025 (updated November 4, 2025)

A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user’s browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.

References

github.com/advisories/GHSA-xr3m-6gq6-22cg
github.com/pimcore/pimcore
github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg
nvd.nist.gov/vuln/detail/CVE-2024-11954
vuldb.com/?ctiid.293905

Code Behaviors & Features

Detect and mitigate CVE-2024-11954 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →