Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Oct 29th 2021


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

1--> Go Asset Metadata Class Definitions -> Create another one or just edit aprevious one .
2 --> In the Name input Inject any XSS payload .
3 --> getting an alert stored in the server.

// PoC.js

1 --> Video POC ->


This vulnerability is capable of...steal user session , takeover user account , make redirect user to attacker controlled site //

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
Bernhard Rusch validated this vulnerability 2 years ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch marked this as fixed with commit 542d0c 2 years ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
Bernhard Rusch
2 years ago


Thanks for reporting! However, I do not agree with the severity, since this is an admin-only functionality, there's not much impact in terms of security (an admin can do anyway whatever he wants).

2 years ago


Thanks for the quick update!

2 years ago


Yes! i know , but linking this with a CSRF attack will lead to a full account takeover !

2 years ago

Hey guys, even pre authentication RCE don't have a 9.8 score … please careful about CVE scores because the users of Pimcore when see this, They may be shocked ….

2 years ago


:/ Not that bad thing ! i know this was a small mistake by me .

to join this conversation