XSS in Quantity Value of Data Objects module in Settings in pimcore/pimcore

Valid

Reported on

Mar 26th 2023

Description

pimcore is vulnerable to XSS at Abbreviation and Longname fields in Quantity Value of Data Objects module in Settings.

Payload

"><img src=x onerror=alert(document.domain);>

Proof of Concept

1.Go to https://11.x-dev.pimcore.fun/admin/ and login.
2.In the left menu bar, go to Settings -> Data Objects -> Quantity Value.
3.In the QuantityValue Unit Definition tab, and click on Add button then input any text into the Unique identifier field then click OK to add a new record.
4.Input the payload "><img src=x onerror=alert(document.domain);> into the Abbreviation or Longname fields of the new added record then click Update.
You will see the XSS popup triggers.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

Christian F. validated this vulnerability a month ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit e3562b a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

to join this conversation