Bypass Stored XSS in Catalog in pimcore/pimcore

Valid

Reported on

Mar 30th 2023

  1. Login in URL : https://demo.pimcore.fun/admin
  2. Go to File -> Perspectives -> Catalog
  3. Click in tab Properties -> footer -> Open
  4. click any Find & Order -> Edit
  5. in tab Basic, inject payload to : Prameters, Anchor in tab Advanced, inject payload to: Class

For more understanding please check POC. // PoC payload to bypass = "><svg><animate onbegin=prompt(document.domain) attributeName=x dur=1s> POC : https://drive.google.com/file/d/1tRRX5SGb_p11dWzvmsNTnpV6GfPl8Czj/view?usp=sharing

Impact

An attacker can use XSS to send a malicious script to any user.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
HMs
a month ago

Researcher

hi these, any update for me !

HMs
a month ago

Researcher

.

Christian F. modified the Severity from High (7.6) to Medium (6.3) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Christian F. validated this vulnerability a month ago
HMs has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit 697064 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation