/

XSS in Seo & Settings tab of Documents in pimcore/pimcore in pimcore/pimcore

Valid

Reported on

Apr 19th 2023

Description

pimcore is vulnerable to XSS at Title field in SEO & Settings tab of Document.

Proof of Concept

1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home -> click on SEO & Settings icon to go to this tab. 3.In the SEO & Setting tab, input the payload "><img src=x onerror=alert(document.domain)> into the Title field and press enter. 4.Click on that input field again and keep the mouse pointer hovers on it, you will see the XSS popup triggers.

alt text

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. a month ago

commented a month ago

Researcher

I'm update link poc: https://drive.google.com/file/d/1C4b2qhdDHwBa3KJENmw_OcPwM1AOA2xO/view?usp=drivesdk

We have contacted a member of the pimcore team and are waiting to hear back a month ago

A pimcore/pimcore maintainer has acknowledged this report a month ago

commented 9 days ago

Maintainer

Hi @duyhm1995, this was fixed in v10.3.3. could you please change the affected version to 10.3.2? thanks!

duyhm1995 modified the report

9 days ago

commented 9 days ago

Researcher

I had changed, thanks for reply.

Divesh Pahuja validated this vulnerability 9 days ago

duyhm1995 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.3.3 with commit 8ab06b 9 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 9 days ago

to join this conversation

We are processing your report and will contact the pimcore team within 24 hours. a month ago

commented a month ago

Researcher

I'm update link poc: https://drive.google.com/file/d/1C4b2qhdDHwBa3KJENmw_OcPwM1AOA2xO/view?usp=drivesdk

We have contacted a member of the pimcore team and are waiting to hear back a month ago

A pimcore/pimcore maintainer has acknowledged this report a month ago

commented 9 days ago

Maintainer

Hi @duyhm1995, this was fixed in v10.3.3. could you please change the affected version to 10.3.2? thanks!

duyhm1995 modified the report

9 days ago

commented 9 days ago

Researcher

I had changed, thanks for reply.

Divesh Pahuja validated this vulnerability 9 days ago

duyhm1995 has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.3.3 with commit 8ab06b 9 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 9 days ago

to join this conversation