Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Oct 29th 2021

Description

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

1--> Go Asset Metadata Class Definitions -> Create another one or just edit aprevious one .
2 --> In the Name input Inject any XSS payload .
3 --> getting an alert stored in the server.


// PoC.js

1 --> Video POC -> https://drive.google.com/file/d/1dH7QNp6qpsfulBkv9iVlfIjS6I-YyPMQ/view?usp=sharing

Impact

This vulnerability is capable of...steal user session , takeover user account , make redirect user to attacker controlled site //

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago

Bernhard Rusch validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bernhard Rusch marked this as fixed with commit 542d0c 2 years ago

Bernhard Rusch has been awarded the fix bounty

This vulnerability will not receive a CVE

Bernhard Rusch

commented 2 years ago

Maintainer

Thanks for reporting! However, I do not agree with the severity, since this is an admin-only functionality, there's not much impact in terms of security (an admin can do anyway whatever he wants).

0x9x

commented 2 years ago

Researcher

Thanks for the quick update!

0x9x

commented 2 years ago

Researcher

Yes! i know , but linking this with a CSRF attack will lead to a full account takeover !

amammad

commented 2 years ago

Hey guys, even pre authentication RCE don't have a 9.8 score … please careful about CVE scores because the users of Pimcore when see this, They may be shocked ….

0x9x

commented 2 years ago

Researcher

:/ Not that bad thing ! i know this was a small mistake by me .

to join this conversation

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago

Bernhard Rusch validated this vulnerability 2 years ago

0x9x has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bernhard Rusch marked this as fixed with commit 542d0c 2 years ago

Bernhard Rusch has been awarded the fix bounty

This vulnerability will not receive a CVE

Bernhard Rusch

commented 2 years ago

Maintainer

Thanks for reporting! However, I do not agree with the severity, since this is an admin-only functionality, there's not much impact in terms of security (an admin can do anyway whatever he wants).

0x9x

commented 2 years ago

Researcher

Thanks for the quick update!

0x9x

commented 2 years ago

Researcher

Yes! i know , but linking this with a CSRF attack will lead to a full account takeover !

amammad

commented 2 years ago

Hey guys, even pre authentication RCE don't have a 9.8 score … please careful about CVE scores because the users of Pimcore when see this, They may be shocked ….

0x9x

commented 2 years ago

Researcher

:/ Not that bad thing ! i know this was a small mistake by me .

to join this conversation