Cross-Site Request Forgery (CSRF) in pimcore/demo


Reported on

Oct 11th 2021


Pimcore is vulnerable to Cross-site request forgery. It is possible to add arbitrary products to the victim's cart.

Proof of Concept

1: Open on a browser.

2: Check out the cart with Jaguar E-Type product.


Attackers might fool victims to buy products they do not want.

We have contacted a member of the pimcore/demo team and are waiting to hear back a year ago
Bernhard Rusch validated this vulnerability a year ago
Renan Rocha has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch
a year ago


While this is valid, I think the severity is by far too high. We're talking about a demo repository, not a boilerplate or production code at all 😉 So for us this has less priority for now. Thanks for your understanding.

Divesh Pahuja marked this as fixed in 10.1.8 with commit 13ef64 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
CartController.php#L66-L84 has been validated
to join this conversation