Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Feb 27th 2022
pimcore is vulnerable to Stored XSS at Key field in the Navigation & Properties tab of a Document page.
"><img src=x onerror=alert(1);>
Step to reproduce
https://demo.pimcore.fun/admin/ and login.
2.Click on any document (Home, de,...) in the Documents
3.Go to Navigation & Properties tab, in the Key column, input payload
"><img src=x onerror=alert(1);> into the Key field of any record.
You will see the XSS popup triggers.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.