Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Oct 29th 2021


Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Proof of Concept

1--> Go Asset Metadata Class Definitions -> Create another one or just edit aprevious one .
2 --> In the Name input Inject any XSS payload .
3 --> getting an alert stored in the server.

// PoC.js

1 --> Video POC ->


This vulnerability is capable of...steal user session , takeover user account , make redirect user to attacker controlled site //

We have contacted a member of the pimcore team and are waiting to hear back a year ago
Bernhard Rusch validated this vulnerability a year ago
0x9x has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 542d0c a year ago
Bernhard Rusch has been awarded the fix bounty
Bernhard Rusch
a year ago


Thanks for reporting! However, I do not agree with the severity, since this is an admin-only functionality, there's not much impact in terms of security (an admin can do anyway whatever he wants).

a year ago


Thanks for the quick update!

a year ago


Yes! i know , but linking this with a CSRF attack will lead to a full account takeover !

a year ago

Hey guys, even pre authentication RCE don't have a 9.8 score … please careful about CVE scores because the users of Pimcore when see this, They may be shocked ….

a year ago


:/ Not that bad thing ! i know this was a small mistake by me .

to join this conversation