Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Mar 8th 2022


Description

pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered.

(2) Image Thumbnails in Settings. Whenever an admin user access Image Thumbnails, a stored XSS will be triggered.

(3) Video Thumbnails in Settings. Whenever an admin user access Video Thumbnails, a stored XSS will be triggered.

Proof of Concept for 1

Step 1: Go to https://demo.pimcore.fun/admin/ and login.

Step 2: Click File > Perspective > Commerce on the left

Step 3: Click Online Shop > Pricing Rule on the left

Step 4: Click Add to add pricing rule

Step 5: Input aaa so as to capture legitimate POST request in Burp Suite

Step 6: Modify value of the name parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 7: Forward the request

You will see the an alert box prompt whenever you access Pricing Rule

Proof of Concept for 2 & 3

Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login.

Step 2: Click Settings > Thumbnails > Image / Video Thumbnails > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the name parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 5: Forward the request

You will see the an alert box prompt whenever you access Image Thumbnail / Video Thumbnail

Impact

This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

Occurrences

There is no any input sanitzation from client (e.g. html characters escape)

There is no any input sanitzation from client (e.g. html characters escape)

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
James Yeung modified the report
3 months ago
Divesh Pahuja validated this vulnerability 3 months ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. 3 months ago
Divesh Pahuja confirmed that a fix has been merged on 6e0922 2 months ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation