/

Multiple Stored XSS in name parameter of "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" in pimcore/pimcore

Valid

Reported on

Mar 20th 2023

Description

The name parameter of the "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" functionality is vulnerable to Stored XSS.

Proof of Concept

1.Login to https://demo.pimcore.fun/admin/.

2.Now go to Online Shop -> Pricing Rules -> Add and  Enter the name of the new item.

3.Then capture the request on the burp suite and modify the name parameter value with xss payload: ```"><img src=1 onerror=alert(1337);> or "><img src=1 onerror=alert(document.domain);>``` and forward the request.

4.Now xss will trigger.

Video PoC

https://drive.google.com/file/d/1caoStWr0Ex08j0cmqCSiwyjpCQgYSR6j/view?usp=share_link
https://drive.google.com/file/d/1vChnkWZKoNYjn_1HBFsFVDGbo_x1vUjS/view?usp=share_link
https://drive.google.com/file/d/1WNdLQ-vjcfPWG4k24MMBkknTocPgCSLB/view?usp=share_link
https://drive.google.com/file/d/1kQjTzLNpuzZRySUt19IBn3T7ABvMRxem/view?usp=share_link

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

Occurrences

PricingController.php L134-L162

References

huntr.dev report

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

SAMPRIT DAS modified the report

2 months ago

SAMPRIT DAS modified the report

2 months ago

commented 2 months ago

Researcher

Hi, team any update?

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

commented 2 months ago

Researcher

Hi, team any update?

commented a month ago

Researcher

@dvesh3 Any update on this report?

commented a month ago

Yes, we're on it - thanks for the reminder!

commented a month ago

Researcher

@brusch Okay thanks

Bernhard Rusch modified the Severity from Critical (9) to Medium (6.8) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Bernhard Rusch validated this vulnerability a month ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit e88fa7 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

PricingController.php#L134-L162 has been validated

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago

We have contacted a member of the pimcore team and are waiting to hear back 2 months ago

SAMPRIT DAS modified the report

2 months ago

SAMPRIT DAS modified the report

2 months ago

commented 2 months ago

Researcher

Hi, team any update?

A pimcore/pimcore maintainer has acknowledged this report 2 months ago

commented 2 months ago

Researcher

Hi, team any update?

commented a month ago

Researcher

@dvesh3 Any update on this report?

commented a month ago

Yes, we're on it - thanks for the reminder!

commented a month ago

Researcher

@brusch Okay thanks

Bernhard Rusch modified the Severity from Critical (9) to Medium (6.8) a month ago

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1

Bernhard Rusch validated this vulnerability a month ago

SAMPRIT DAS has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.21 with commit e88fa7 a month ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability a month ago

PricingController.php#L134-L162 has been validated

to join this conversation