XSS in HTML-Tags in pimcore/pimcore


Reported on

Jan 31st 2023


Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings"

Proof of Concept

1. Login in stable account URL : https://demo.pimcore.fun/admin/?_dc=1675166039&perspective=
2. Go to Home ---> SEO & Settings 
3. Enter Payload in HTML-Tags 

For More Understanding please check POC :  https://drive.google.com/file/d/18_sFHJXEZyubEZ3MO6KK1oBtDZ_BuXpR/view?usp=sharing


The vulnerability is capable of stolen the user cookie.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
Sanket Salavi modified the report
a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
Divesh Pahuja modified the Severity from High (8.3) to Medium (5.2) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability a year ago
sanketx0722 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 11.0.0 with commit da2af2 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has now been published a year ago
settings.js#L57 has been validated
Remo Liebi
a year ago

I don't agree with this classification. This is by no means a 5.2 or even worth a CVE. The Process is only available for logged in users an can be disabled by permission. By the logic of this "bug" a "in-tool" file editor is worth a CVE as well.

Divesh Pahuja
a year ago


Hi, Thanks for reporting. CVE has been withdrawn as we don't consider this as security issue anymore.

to join this conversation