Stored XSS in module name "Edit Link" in pimcore/pimcore

Valid

Reported on

May 7th 2023

Description

I noticed that you filtered the input very carefully.

But there are still some parts you missed

Proof of Concept

1.Login in URL : https://demo.pimcore.fun/admin.

2.Go to "Search Documents" and filter only "Snippet" search and press search.

3.Go to "/en/shared/teasers/Popular Brands".

4.In the Edit section, press the "Edit Link" icon and edit the "Text" section -> enter the following xss:

                <img src=x onerror=javascript:alert(('1'))>

5.Save and the xss has been executed.

Video PoC

https://drive.google.com/file/d/18LNVcoZsluPMWb_VvHJkI_iKtpES_iLV/view?usp=sharing

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 4 months ago

We have contacted a member of the pimcore team and are waiting to hear back 4 months ago

H4ck3r Kh0ỏng

commented 3 months ago

Researcher

hi is there any new update

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

aryaantony92 validated this vulnerability 2 months ago

H4ck3r Kh0ỏng has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja

commented 2 months ago

Maintainer

Hi, this report is duplicate of https://huntr.dev/bounties/24d91b83-c3df-48f5-a713-9def733f2de7/

@admin we would like to unmark this as valid and mark it as duplicate. could you please help? sorry for the inconvenience.

Divesh Pahuja

commented 2 months ago

Maintainer

please ignore the comment above as this is intended for other report.

H4ck3r Kh0ỏng

commented 2 months ago

Researcher

so my report is still eligible for the reward, right

Divesh Pahuja

commented 2 months ago

Maintainer

yes, this one is valid :)

Divesh Pahuja marked this as fixed in 10.6.4 with commit d75888 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. 4 months ago

We have contacted a member of the pimcore team and are waiting to hear back 4 months ago

H4ck3r Kh0ỏng

commented 3 months ago

Researcher

hi is there any new update

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

aryaantony92 validated this vulnerability 2 months ago

H4ck3r Kh0ỏng has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja

commented 2 months ago

Maintainer

Hi, this report is duplicate of https://huntr.dev/bounties/24d91b83-c3df-48f5-a713-9def733f2de7/

@admin we would like to unmark this as valid and mark it as duplicate. could you please help? sorry for the inconvenience.

Divesh Pahuja

commented 2 months ago

Maintainer

please ignore the comment above as this is intended for other report.

H4ck3r Kh0ỏng

commented 2 months ago

Researcher

so my report is still eligible for the reward, right

Divesh Pahuja

commented 2 months ago

Maintainer

yes, this one is valid :)

Divesh Pahuja marked this as fixed in 10.6.4 with commit d75888 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

to join this conversation