Stored XSS in module name "Edit Link" in pimcore/pimcore


Reported on

May 7th 2023


I noticed that you filtered the input very carefully.

But there are still some parts you missed

Proof of Concept

1.Login in URL :

2.Go to "Search Documents" and filter only "Snippet" search and press search.

3.Go to "/en/shared/teasers/Popular Brands".

4.In the Edit section, press the "Edit Link" icon and edit the "Text" section -> enter the following xss:

                <img src=x onerror=javascript:alert(('1'))>

5.Save and the xss has been executed.

Video PoC


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 4 months ago
We have contacted a member of the pimcore team and are waiting to hear back 4 months ago
H4ck3r Kh0ỏng
3 months ago


hi is there any new update

pimcore/pimcore maintainer has acknowledged this report 2 months ago
aryaantony92 validated this vulnerability 2 months ago
H4ck3r Kh0ỏng has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja
2 months ago


Hi, this report is duplicate of

@admin we would like to unmark this as valid and mark it as duplicate. could you please help? sorry for the inconvenience.

Divesh Pahuja
2 months ago


please ignore the comment above as this is intended for other report.

H4ck3r Kh0ỏng
2 months ago


so my report is still eligible for the reward, right

Divesh Pahuja
2 months ago


yes, this one is valid :)

Divesh Pahuja marked this as fixed in 10.6.4 with commit d75888 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation