Stored XSS in Email Blacklist Function in pimcore/pimcore

Valid

Reported on

Feb 14th 2023


Description

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

There is Stored XSS vulnerability in Email Blacklist Function https://demo.pimcore.fun/admin/?_dc=1676373439&perspective=

This is due to lack of sanitizaiton when inserting email addresses in the application.

Proof of Concept

<img/src=x onError="${x};alert(xss-yara);"> -@ex_mi

Collaboration note

This issue is a collaborate with Ahmed Hassan

Impact

The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user's session.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
Yara AlHumaidan (0xy37) modified the report
a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
Yara
a year ago

Researcher


Hello,

I just have a question, please. Can you assign the CVE to 2 Persons or more ?

Because we worked on many Vulnerabilities together.

Would this be possible ?

Thank you

Yara
a year ago

Researcher


any updates?

Divesh Pahuja
a year ago

Maintainer


Hi @0xy37, we are looking into the issue. yes, we can credit 2 authors on Github security Advisory so please mention the accounts. thanks!

Divesh Pahuja validated this vulnerability a year ago
0xy37 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit f6d322 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Yara
a year ago

Researcher


Can you also add @ahmedvienna as a contributor!

Thanks 🙏

Divesh Pahuja
a year ago

Maintainer


Done. see https://github.com/pimcore/pimcore/security/advisories/GHSA-96hp-38wx-j3wc

to join this conversation