Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug in pimcore/pimcore
Valid
Reported on
Jan 31st 2023
Description
Cross Site Scripting (XSS) in Model\DataObject\Data\UrlSlug of pimcore/pimcore
Proof of Concept
1. Login in stable account URL : https://demo.pimcore.fun/admin
2. Go to System Data ---> UrlSlug
3. Enter Payload in UrlSlug with starting with "/" slash.
For more understanding please check POC.
// PoC.js
var payload = /"><img src=x onerror=alert(document.domain);>
POC : https://drive.google.com/file/d/16gzOf4tUqUyUCq3JSENdG_AhgmJ6JHUy/view?usp=sharing
Impact
An attacker can use XSS to send a malicious script to an unsuspecting user.
We are processing your report and will contact the
pimcore
team within 24 hours.
3 months ago
We have contacted a member of the
pimcore
team and are waiting to hear back
3 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation
