Stored XSS via name parameter of "Predefined Properties" in pimcore/pimcore


Reported on

Mar 21st 2023


It's observed that the name parameter of the "Predefined Properties" functionality is vulnerable to stored XSS.

Proof of Concept

1.Login to

2.Now go to Settings -> Predefined Properties -> Add and Enter the payload: ```"><img src=1 onerror=alert(document.domain)>``` inside the name input field.

3.Then click on update.

4.Now delete the name, you will see XSS will trigger.

Video PoC


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.


We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
Pavlos has marked this vulnerability as a duplicate of 41edf190-f6bf-4a29-a237-7ff1b2d048d3 2 months ago

Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.

The disclosure bounty has been dropped
The fix bounty has been dropped
The researcher's credibility has decreased: -5
2 months ago


Hi @psmoros i have updated the report and added this as occurrence

SAMPRIT DAS modified the report
20 days ago
20 days ago


@dvesh3 @maintainer Now please validate the report and the occurrences.

SAMPRIT DAS modified the report
17 days ago
Divesh Pahuja validated this vulnerability 17 days ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit 7a7993 17 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja
17 days ago


@admin how can i find the published CVE for this fix? thanks!

16 days ago


@admin please help

Ben Harvie
16 days ago


Hi, the CVE is assigned and will update to published shortly. Thanks!

to join this conversation