Stored XSS in the Redirects module in pimcore/pimcore


Reported on

Feb 28th 2023


pimcore is vulnerable to Stored XSS at Expiry field in the Redirects module.


"><img src=x onerror=alert(document.domain);>

Step to reproduce/Proof of Concept

1.Go to and login.
2.In the left menu bar, go to Tools -> Redirects.
3.In the Redirects tab, click Add button, input any text into the Source and Target field and click Save.
4.In the new added record, at the Expiry column, input payload "><img src=x onerror=alert(document.domain);>
You will see the XSS popup triggers.


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago
KhanhCM modified the report
3 months ago
KhanhCM modified the report
3 months ago
We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
2 months ago


Hi @admin,

It seems that this vulnerability has been remediated by the maintainer recently. You can find the commit 3 days ago here:

Can you contact the pimcore's maintainer team for acknowledge and validate this report?
Many thanks!

Divesh Pahuja validated this vulnerability 2 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit 44c6b3 2 months ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation