XSS in Classes of Data Objects module in Settings in pimcore/pimcore


Reported on

Mar 26th 2023


pimcore is vulnerable to XSS at fromDate and toDate fields in Classes of Data Objects module in Settings.


"><img src=x onerror=alert(document.domain);>

Proof of Concept

1.Go to https://11.x-dev.pimcore.fun/admin/ and login.
2.In the left menu bar, go to Settings -> Data Objects -> Classes and click on any class.
3.In the new open tab, click on fromDate or toDate section, then input the payload "><img src=x onerror=alert(document.domain);> into the Default value field.
4.Click Save button then click on the input field again. You will see the XSS popup triggers.


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
Christian F. validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit fb3056 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation