Stored XSS in Email Blacklist Function in pimcore/pimcore

Valid

Reported on

Feb 14th 2023

Description

Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information. Stored XSS is also sometimes referred to as Persistent or Type-I XSS.

There is Stored XSS vulnerability in Email Blacklist Function https://demo.pimcore.fun/admin/?_dc=1676373439&perspective=

This is due to lack of sanitizaiton when inserting email addresses in the application.

Proof of Concept

<img/src=x onError="${x};alert(xss-yara);"> -@ex_mi

Collaboration note

This issue is a collaborate with Ahmed Hassan

Impact

The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user's session.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

Yara AlHumaidan (0xy37) modified the report

2 months ago

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

Yara AlHumaidan (0xy37) Yara

commented 2 months ago

Researcher

Hello,

I just have a question, please. Can you assign the CVE to 2 Persons or more ?

Because we worked on many Vulnerabilities together.

Would this be possible ?

Thank you

Yara AlHumaidan (0xy37) Yara

commented a month ago

Researcher

any updates?

Divesh Pahuja

commented a month ago

Maintainer

Hi @0xy37, we are looking into the issue. yes, we can credit 2 authors on Github security Advisory so please mention the accounts. thanks!

Divesh Pahuja validated this vulnerability a month ago

Yara AlHumaidan (0xy37) has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.18 with commit f6d322 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

Yara AlHumaidan (0xy37) Yara

commented a month ago

Researcher

Can you also add @ahmedvienna as a contributor!

Thanks 🙏

Divesh Pahuja

commented a month ago

Maintainer

Done. see https://github.com/pimcore/pimcore/security/advisories/GHSA-96hp-38wx-j3wc

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

Yara AlHumaidan (0xy37) modified the report

2 months ago

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

Yara AlHumaidan (0xy37) Yara

commented 2 months ago

Researcher

Hello,

I just have a question, please. Can you assign the CVE to 2 Persons or more ?

Because we worked on many Vulnerabilities together.

Would this be possible ?

Thank you

Yara AlHumaidan (0xy37) Yara

commented a month ago

Researcher

any updates?

Divesh Pahuja

commented a month ago

Maintainer

Hi @0xy37, we are looking into the issue. yes, we can credit 2 authors on Github security Advisory so please mention the accounts. thanks!

Divesh Pahuja validated this vulnerability a month ago

Yara AlHumaidan (0xy37) has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.18 with commit f6d322 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

Yara AlHumaidan (0xy37) Yara

commented a month ago

Researcher

Can you also add @ahmedvienna as a contributor!

Thanks 🙏

Divesh Pahuja

commented a month ago

Maintainer

Done. see https://github.com/pimcore/pimcore/security/advisories/GHSA-96hp-38wx-j3wc

to join this conversation