Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework

Valid

Reported on

Dec 23rd 2021


Description

Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules.

Proof of Concept

1 .login to the account

2 .go to customers --> customer automation rules --> Add payload in name field.

3 .payload "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user cookie

Occurrences

description field

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 5 months ago
We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 5 months ago
We have sent a follow up to the pimcore/customer-data-framework team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the pimcore/customer-data-framework team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the pimcore/customer-data-framework team. This report is now considered stale. 4 months ago
Divesh Pahuja validated this vulnerability 4 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja confirmed that a fix has been merged on 1e7a82 4 months ago
Divesh Pahuja has been awarded the fix bounty
rule.js#L119-L122 has been validated
rule.js#L125-L130 has been validated
to join this conversation