Stored xss in print generate and preview pdf in pimcore/pimcore


Reported on

Feb 28th 2023

HI Team,

In pimcore dev url I found one stored xss in generate and preview pdf . The author field and title field is vulnerable to xss

Step to reproduce

  1. Login to dev url
  2. add a print container page in documents
  3. Insert this xss payload in author and title field ;1lblah"<iframe/onload=confirm(document.domain);></i>"
  4. then save and publish > click generate pdf > then cancel the pdf and save and publish the container page
  5. Logout and login back to account
  6. goto the printer container page and goto Generate and preview pdf you can see the xss get executed

Video Proof



Stored xss leads to steal cookies and other information of other users

We are processing your report and will contact the pimcore team within 24 hours. a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
a month ago


Any updates ?

pimcore/pimcore maintainer has acknowledged this report 25 days ago
pimcore/pimcore maintainer
25 days ago


Thank you very much for reporting the issue, we've added this to our sprint and will update you asap :)

Divesh Pahuja modified the Severity from High (7.1) to Medium (4.8) 22 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 22 days ago
0xR3d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit 82cca7 22 days ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 22 days ago
to join this conversation