Stored cross site scripting vulnerability in Save grid option in pimcore dashboard in pimcore/pimcore

Valid

Reported on

Mar 30th 2023

Description

Stored cross site scripting vulnerability in Save grid option in pimcore dashboard.

Proof of Concept

  1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login

  2. On left side menu go to document --> perspective --> cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP

  3. it will take you to customers data select any customer data eg: 1020 or 5020

  4. Now go to dashboard select Grid option drop down select save as copy,

  5. Add name as "><iMg SrC="x" oNeRRor="alert(1);">

  6. click save and check the grip options alert will pop up

// PoC.js

var payload = "><iMg SrC="x" oNeRRor="alert(1);">

Impact

The attacker is capable to stolen the user session cookie. it will leads to complete account takeover.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
Christian F. validated this vulnerability a month ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit aa3831 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation