Stored XSS in name parameter of "Customers Reports" in pimcore/pimcore
Mar 20th 2023
The name parameter of the "Static Routes" functionality is vulnerable to stored XSS.
Proof of Concept
1.Login to https://demo.pimcore.fun/admin/. 2.Now go to Marketing -> Customers Reports -> Add and Enter the name of the new item (a-zA-Z-_). 3.Then capture the request on the burp suite and modify the name parameter value with xss payload: ```"><img src=1 onerror=alert(1337)> or "><img src=1 onerror=alert(document.domain)>``` and forward the request. 4.Now xss will trigger.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.
Hi @psmoros i have updated the report
https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/ and added this as occurrence
@dvesh3 @maintainer Now please validate the report and the occurrences.
@admin how can i find the published CVE for this fix? thanks!
@admin please help
Hi, the CVE is assigned and will update to published shortly. Thanks!