Stored XSS in name parameter of "Static Routes" in pimcore/pimcore
Reported on
Mar 20th 2023
Description
During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS.
Proof of Concept
1.Login to https://demo.pimcore.fun/admin/.
2.Now go to Settings -> Static Routes -> Add and Enter the payload: "><img src=1 onerror=alert(document.domain)> inside the name input field.
3.Then click on update.
4.Now delete the name, you will see XSS will trigger.
Video PoC
https://drive.google.com/file/d/1vChnkWZKoNYjn_1HBFsFVDGbo_x1vUjS/view?usp=share_link
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
References
Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.
Hi @psmoros i have updated the report https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/ and added this as occurrence
Hi @psmoros, we have fixed the reported issue in the product. Is it now possible to validate this and close it to assign CVE?
Same query for: https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6/ https://huntr.dev/bounties/af9c360a-87f8-4e97-a24b-6db675ee942a/
Thanks, Divesh
@admin can you please re-open the following mentioned reports and let @divesh to validate it?
Reports have been re-opened as requested and scores have been reset. Thanks!
@dvesh3 @maintainer Now please validate the report and the occurrences.
@admin how can i find the published CVE for this fix? thanks!
Hi, the CVE is assigned and will update to published shortly. Thanks!