XSS in HTML-Tags in pimcore/pimcore


Reported on

Jan 31st 2023


Cross site scripting vulnerability in pimcore/pimcore in HTML-Tags of "SEO & Settings"

Proof of Concept

1. Login in stable account URL : https://demo.pimcore.fun/admin/?_dc=1675166039&perspective=
2. Go to Home ---> SEO & Settings 
3. Enter Payload in HTML-Tags 

For More Understanding please check POC :  https://drive.google.com/file/d/18_sFHJXEZyubEZ3MO6KK1oBtDZ_BuXpR/view?usp=sharing


The vulnerability is capable of stolen the user cookie.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
Sanket Salavi modified the report
2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
Divesh Pahuja modified the Severity from High (8.3) to Medium (5.2) 21 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 15 days ago
Sanket Salavi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 11.0.0 with commit da2af2 15 days ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 15 days ago
settings.js#L57 has been validated
Remo Liebi
6 days ago

I don't agree with this classification. This is by no means a 5.2 or even worth a CVE. The Process is only available for logged in users an can be disabled by permission. By the logic of this "bug" a "in-tool" file editor is worth a CVE as well.

to join this conversation