Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Feb 27th 2022


pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page.


"><img src=x onerror=alert(1);>

Step to reproduce

1.Go to and login.
2.Click on any document (Home, de,...) in the Documents
3.Go to Navigation & Properties tab, in the Key column, input payload "><img src=x onerror=alert(1);> into the Key field of any record.
You will see the XSS popup triggers.


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
Divesh Pahuja modified the report
a year ago
JiaJia Ji validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
JiaJia Ji marked this as fixed in 10.3.3 with commit e786fd a year ago
JiaJia Ji has been awarded the fix bounty
This vulnerability will not receive a CVE
properties.js#L241-L273 has been validated
properties.js#L14-L36 has been validated
properties.js#L39-L227 has been validated
to join this conversation