XSS in Seo & Settings tab of Documents in pimcore/pimcore in pimcore/pimcore
Apr 19th 2023
pimcore is vulnerable to XSS at Title field in SEO & Settings tab of Document.
Proof of Concept
1.Go to https://demo.pimcore.fun/admin/ and login. 2.In Documents, go to home -> click on SEO & Settings icon to go to this tab. 3.In the SEO & Setting tab, input the payload "><img src=x onerror=alert(document.domain)> into the Title field and press enter. 4.Click on that input field again and keep the mouse pointer hovers on it, you will see the XSS popup triggers.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
I'm update link poc: https://drive.google.com/file/d/1C4b2qhdDHwBa3KJENmw_OcPwM1AOA2xO/view?usp=drivesdk
Hi @duyhm1995, this was fixed in v10.3.3. could you please change the affected version to 10.3.2? thanks!
I had changed, thanks for reply.