Cross site scripting vulnerability in pimcore in pimcore/pimcore

Valid

Reported on

Dec 13th 2022

Description

Cross site scripting vulnerability in pimcore/pimcore "title field " in data objects

Proof of Concept

  1. Login with dev account https://11.x-dev.pimcore.fun/admin/?_dc=1670962076&perspective=

  2. Go to setting --> data objects --> classes --> events

  3. Click media under genaral settings

  4. Add payload in title field.

  5. Go to data objects module and open events, xss will trigger

// PoC.js "><iMg SrC="x" oNeRRor="alert(xss);">

Impact

The vulnerability is capable of stolen the user cookie.

We are processing your report and will contact the pimcore team within 24 hours. 4 months ago
We have contacted a member of the pimcore team and are waiting to hear back 4 months ago
pimcore/pimcore maintainer has acknowledged this report 4 months ago
Divesh Pahuja validated this vulnerability 2 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.14 with commit 746fac 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation