XSS in Classification Store of Data Objects module in Settings in pimcore/pimcore

Valid

Reported on

Mar 26th 2023

Description

pimcore is vulnerable to XSS at Name field in Classification Store of Data Objects module in Settings. The vulnerability exists in all 3 tabs: Group Collections, Group, Key Definitions.

Payload

"><img src=x onerror=alert(document.domain);>

Proof of Concept

1.Go to https://11.x-dev.pimcore.fun/admin/ and login.
2.In the left menu bar, go to Settings -> Data Objects -> Classification Store and click on ProductAttributes.
3.In the new open tab, click on Add button, then input the payload "><img src=x onerror=alert(document.domain);> into the Name field then click OK.
4.Click on delete icon (X) on that new added record, you will see the XSS popup triggers.
Note: The vulnerability exists in all 3 tabs: Group Collections, Group, Key Definitions.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

Christian F. validated this vulnerability a month ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit f1d904 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

to join this conversation