Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework

Valid

Reported on

Dec 23rd 2021

Description

Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules.

Proof of Concept

1 .login to the account

2 .go to customers --> customer automation rules --> Add payload in name field.

3 .payload "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user cookie

Occurrences

description field

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. a year ago
We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back a year ago
We have sent a follow up to the pimcore/customer-data-framework team. We will try again in 7 days. a year ago
We have sent a second follow up to the pimcore/customer-data-framework team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the pimcore/customer-data-framework team. This report is now considered stale. a year ago
Divesh Pahuja validated this vulnerability a year ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja marked this as fixed in 3.2.6 with commit 1e7a82 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
rule.js#L119-L122 has been validated
rule.js#L125-L130 has been validated
to join this conversation