Cross site scripting on setting module in pimcore/pimcore
Mar 19th 2023
pimcore is vulnerable to XSS in translate module.
Proof of Concept
Step to Reproduce.
- Go to
- In the left menu bar, go to Settings -> Document Types and click on Add button to add a new record.
- Now click on translate. Add XSS payload in any language.
- No click on edit as HTML.
"><img src=x onerror=alert(document.domain);>
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 2 months ago
Rahul Parmar has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.20 with commit 295f5e 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation