Reflected XSS in Application Logger module in pimcore/pimcore
Mar 1st 2023
pimcore is vulnerable to Reflected XSS at From and To fields when searching in the Application Logger module.
"><img src=x onerror=alert(document.domain);>
Proof of Concept
https://demo.pimcore.fun/admin/ and login.
2.In the left menu bar, go to Tools -> Application Logger.
3.In the Application Logger tab, on the right Search form, input the payload
"><img src=x onerror=alert(document.domain);> into the From and To fields.
You will see the XSS popup triggers.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
Thank you, @dvesh3.
Can you acknowledge and review my other report here?
I reported it before this report but it has not been acknowledged yet.