XSS in choose time value Classes Data Objects in pimcore/pimcore
Reported on
Apr 27th 2023
Description
XSS in choose time value Classes Data Object
Proof of Concept
Login in URL : https://demo.pimcore.fun/admin Go to Settings-> Data Objects -> Classes -> News (NE) -> Dates & Images in tab Dates & Images , inject payload to value time at Specific Settings
// PoC
payload : \"><svg><animate onbegin=prompt(document.domain) attributeName=x dur=1s>
video PoC: https://drive.google.com/file/d/1yk5jvyTVP1pJf7Dpf-waKo06K2b_Gz0p/view?usp=sharing
Impact
An attacker can use XSS to send a malicious script to any user.
Thanks for finding this issue, but I couldn't reproduce it and tried to watch the video, but I don't have access. Could you please give me access to watch it? Thanks
sorry ..you can access here: https://drive.google.com/file/d/1yk5jvyTVP1pJf7Dpf-waKo06K2b_Gz0p/view?usp=sharing POC:
- Login in URL : https://demo.pimcore.fun/admin
- Go to Settings-> Data Objects -> Classes -> News (NE) -> Dates & Images
- in tab Dates & Images , inject payload to value time at Specific Settings
@hieuminhnv Hi, It seems this is duplicate of https://huntr.dev/bounties/7336b71f-a36f-4ce7-a26d-c8335ac713d6/ and already fixed in 10.5.21 version.
hi @Divesh Pahuja, vuln in reporter https://huntr.dev/bounties/7336b71f-a36f-4ce7-a26d-c8335ac713d6/ has report on version 10.5.19 and fixed in 10.5.20 and was made public before I found this bug in 10.5.21 . why duplicate ??? One more , the bug on the other reporter is on fromDate or toDate field , and here's on TIME field Too confusing, hazz . okey, bye
Hi @HMs, sorry but I am not able to reproduce this on 10.6. Could you please try it on our latest 10.6 version, because we no longer maintain 10.5. Thanks
Hi @hieuminhnv we are now able to reproduce this and we are working on it. Thanks for finding this