Cross-site Scripting (XSS) - Stored in pimcore/data-hub
Reported on
Mar 8th 2022
Description
pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of "Add a new configuration" in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered.
Proof of Concept
Step 1: Go to https://demo.pimcore.fun/admin/ and login.
Step 2: Click Datahub
Step 3: Click Add Configuration
Step 4: Input aaa so as to capture legitimate request in Burp Suite
Step 5: Modify value of the name parameter in the GET request as below, which is URL encoded
"><img+src%3dx+onerror%3dalert(1)%3b>
Step 6: Forward the request
You will see the an alert box prompt wheenver you access Datahub
Impact
This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
Occurrences
ConfigController.php L46-L65
There is no any input sanitzation from client (e.g. html characters escape)
May I know if CVE ID could be assigned in this case? Thanks!
We have not automatically assigned a CVE here as we only do this for the top 40% of popular packages/repositories on GitHub.
However, if requested manually, we can if the maintainer is happy to publish a CVE.
@maintainer - are you happy for us to assign and publish a CVE?
Sorted! ♥️ Let me know once you are ready to publish this report and I will make the CVE live in the MITRE/NVD database.
@admin, may I know if its normal for waiting days to have update on https://nvd.nist.gov/vuln/detail/CVE-2022-0955
Since I found other CVEs will get an update after 2-3 days only. Thanks!
@scriptidiot - thanks for the nudge here. This is only because the CVE was assigned manually. Publishing the CVE for you now - it should be live in 1 hour.