Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Oct 29th 2021
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Proof of Concept
1--> Go Asset Metadata Class Definitions -> Create another one or just edit aprevious one . 2 --> In the Name input Inject any XSS payload . 3 --> getting an alert stored in the server. // PoC.js 1 --> Video POC -> https://drive.google.com/file/d/1dH7QNp6qpsfulBkv9iVlfIjS6I-YyPMQ/view?usp=sharing
This vulnerability is capable of...steal user session , takeover user account , make redirect user to attacker controlled site //