Stored XSS in name parameter of "Customers Reports" in pimcore/pimcore

Valid

Reported on

Mar 20th 2023

Description

The name parameter of the "Static Routes" functionality is vulnerable to stored XSS.

Proof of Concept

1.Login to https://demo.pimcore.fun/admin/.

2.Now go to Marketing -> Customers Reports -> Add and Enter the name of the new item (a-zA-Z-_).

3.Then capture the request on the burp suite and modify the name parameter value with xss payload: ```"><img src=1 onerror=alert(1337)> or "><img src=1 onerror=alert(document.domain)>``` and forward the request.

4.Now xss will trigger.

Video PoC

https://drive.google.com/file/d/1WNdLQ-vjcfPWG4k24MMBkknTocPgCSLB/view?usp=share_link

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

References

huntr.dev report

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

Pavlos has marked this vulnerability as a duplicate of 41edf190-f6bf-4a29-a237-7ff1b2d048d3 2 months ago

Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.

The disclosure bounty has been dropped

The fix bounty has been dropped

The researcher's credibility has decreased: -5

SAMPRIT DAS

commented 2 months ago

Researcher

Hi @psmoros i have updated the report https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/ and added this as occurrence

SAMPRIT DAS modified the report

20 days ago

SAMPRIT DAS

commented 20 days ago

Researcher

@dvesh3 @maintainer Now please validate the report and the occurrences.

SAMPRIT DAS modified the report

17 days ago

Divesh Pahuja validated this vulnerability 17 days ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit c36ef5 17 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja

commented 17 days ago

Maintainer

@admin how can i find the published CVE for this fix? thanks!

SAMPRIT DAS

commented 16 days ago

Researcher

@admin please help

Ben Harvie

commented 16 days ago

Admin

Hi, the CVE is assigned and will update to published shortly. Thanks!

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

Pavlos has marked this vulnerability as a duplicate of 41edf190-f6bf-4a29-a237-7ff1b2d048d3 2 months ago

Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.

The disclosure bounty has been dropped

The fix bounty has been dropped

The researcher's credibility has decreased: -5

SAMPRIT DAS

commented 2 months ago

Researcher

Hi @psmoros i have updated the report https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/ and added this as occurrence

SAMPRIT DAS modified the report

20 days ago

SAMPRIT DAS

commented 20 days ago

Researcher

@dvesh3 @maintainer Now please validate the report and the occurrences.

SAMPRIT DAS modified the report

17 days ago

Divesh Pahuja validated this vulnerability 17 days ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit c36ef5 17 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja

commented 17 days ago

Maintainer

@admin how can i find the published CVE for this fix? thanks!

SAMPRIT DAS

commented 16 days ago

Researcher

@admin please help

Ben Harvie

commented 16 days ago

Admin

Hi, the CVE is assigned and will update to published shortly. Thanks!

to join this conversation