We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored XSS on Admin Translations in pimcore/pimcore

Valid

Reported on

Aug 7th 2022

Description

Key/Name field in Admin Translation Settings is vulnerable to XSS.

Proof of Concept

1 - Go to Settings, Admin Translations.

2 - Click on Add, and put the XSS payload: "><iframe onload=confirm(1)> on Name then save

3 - XSS popup will be triggered.

Both Stable and Dev versions are vulnerable.

Video PoC

https://drive.google.com/drive/folders/15PhgJyEmIoyLJPgxz5Wb-Hy4HxN2E6_V?usp=sharing

Impact

Steal Admin Cookies and gain unauthorized privileged access.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
We have sent a follow up to the pimcore team. We will try again in 7 days. a year ago
Divesh Pahuja validated this vulnerability a year ago
Amine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the pimcore team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the pimcore team. We will try again in 10 days. a year ago
Divesh Pahuja marked this as fixed in 10.5.4 with commit 2fd468 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation