Stored XSS in the Redirects module in pimcore/pimcore

Valid

Reported on

Feb 28th 2023

Description

pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module.

Payload

"><img src=x onerror=alert(document.domain);>

Step to reproduce/Proof of Concept

1.Go to https://demo.pimcore.fun/admin/ and login.
2.In the left menu bar, go to Tools -> Redirects.
3.In the Redirects tab, click Add button, input any text into the Source and Target field and click Save.
4.In the new added record, at the Expiry column, input payload "><img src=x onerror=alert(document.domain);>
You will see the XSS popup triggers.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago
KhanhCM modified the report
3 months ago
KhanhCM modified the report
3 months ago
We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
KhanhCM
2 months ago

Researcher

Hi @admin,

It seems that this vulnerability has been remediated by the maintainer recently. You can find the commit 3 days ago here: https://github.com/pimcore/pimcore/commit/44c6b37aa649a0e3105fa41f3d74a3e511acf964#diff-790d038f72f063fd7667049c641b2454fe782252e06ca7c8272eba0b7aa44a5c

Can you contact the pimcore's maintainer team for acknowledge and validate this report?
Many thanks!

Divesh Pahuja validated this vulnerability 2 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit 44c6b3 2 months ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation