Stored xss in print generate and preview pdf in pimcore/pimcore

Valid

Reported on

Feb 28th 2023


HI Team,

In pimcore dev url https://11.x-dev.pimcore.fun/admin/ I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss

Step to reproduce

  1. Login to dev url https://11.x-dev.pimcore.fun/admin/
  2. add a print container page in documents
  3. Insert this xss payload in author and title field ;1lblah"<iframe/onload=confirm(document.domain);></i>"
  4. then save and publish > click generate pdf > then cancel the pdf and save and publish the container page
  5. Logout and login back to account
  6. goto the printer container page and goto Generate and preview pdf you can see the xss get executed

Video Proof https://drive.google.com/file/d/1Pw6ew2N_n_TfiCHI0OOCxGOHsfEHMPmt/view?usp=sharing

PoC https://drive.google.com/file/d/17TvYStMn9XXMPY1QC9HDbGqfWzmwSvSq/view?usp=sharing

Impact

Stored xss leads to steal cookies and other information of other users

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
0xR3d
2 months ago

Researcher


Any updates ?

pimcore/pimcore maintainer has acknowledged this report 2 months ago
pimcore/pimcore maintainer
2 months ago

Maintainer


Thank you very much for reporting the issue, we've added this to our sprint and will update you asap :)

Divesh Pahuja modified the Severity from High (7.1) to Medium (4.8) 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 2 months ago
0xR3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit 82cca7 2 months ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation