Stored XSS on Admin Translations in pimcore/pimcore

Valid

Reported on

Aug 7th 2022


Description

Key/Name field in Admin Translation Settings is vulnerable to XSS.

Proof of Concept

1 - Go to Settings, Admin Translations.

2 - Click on Add, and put the XSS payload: "><iframe onload=confirm(1)> on Name then save

3 - XSS popup will be triggered.

Both Stable and Dev versions are vulnerable.

Video PoC

https://drive.google.com/drive/folders/15PhgJyEmIoyLJPgxz5Wb-Hy4HxN2E6_V?usp=sharing

Impact

Steal Admin Cookies and gain unauthorized privileged access.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
We have sent a follow up to the pimcore team. We will try again in 7 days. a month ago
Divesh Pahuja validated this vulnerability a month ago
Amine has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the pimcore team. We will try again in 7 days. a month ago
We have sent a second fix follow up to the pimcore team. We will try again in 10 days. a month ago
Divesh Pahuja confirmed that a fix has been merged on 2fd468 a month ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation