Stored Cross Site Scripting (XSS) via "properties" during creating new users in pimcore/pimcore
Valid
Reported on
Sep 6th 2022
Description
From demo url > login > click people icon at the left bar > click "Customers" > Click "New Customer" button from page > Fill up the "Edit" tab > Click "Save" button above > Click "Properties" tab > From "Add a custom Property" field , add "Test" on the first field > Click and select "text" on the second field > Click "+" button at the right of the field > On the table, click the key field to edit and add payload below:
mang"><img/src=x onerror=alert(/xss/)>
Then the XSS will triggered once the click any place in page.
Video Proof of Concept(PoC)
https://drive.google.com/file/d/1sfuiGp_c0AqBth55aR5tEdmVNka_BG0x/view?usp=sharing
Image PoC
Impact
This vulnerability allows attackers to hijack the user's current session, steal relevant information, deface website or direct users to malicious websites and allows attacker to use for further exploitation.
Occurrences
We are processing your report and will contact the
pimcore
team within 24 hours.
8 months ago
Saitamang modified the report
8 months ago
We have contacted a member of the
pimcore
team and are waiting to hear back
8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
UserController.php#L277-L385
has been validated
to join this conversation
