XSS Stored in the email address in pimcore/pimcore


Reported on

Feb 14th 2023


Hello, I have located an xss stored by performing the following step:

1 - Go to tools 2 - GDPR Data Extractor 3 - Insert the payload into the email address 4 - click in send emails

Proof of Concept

Alt Text


As Result this allow an attacker to steal user session , takeover user account , make redirect user to attacker controlled site .

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
Dan Barros modified the report
2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
pimcore/pimcore maintainer has acknowledged this report a month ago
Divesh Pahuja validated this vulnerability a month ago
Dan Barros has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit 4b5733 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation