Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Mar 9th 2022


pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) Field-Collections in Data Objects

(2) Objectbricks in Data Objects

Proof of Concept (for both 1 & 2)

Step 1: Go to and login.

Step 2: Click Settings > Data Objects > Field-Collections / Objectbricks > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the "key" parameter in the body of POST request as below, which is URL encoded


Step 5: Forward the request

You will see the an alert box prompt whenever you access Field-Collections / Objectbricks


This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
James Yeung modified the report
a year ago
Divesh Pahuja validated this vulnerability a year ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. a year ago
Divesh Pahuja marked this as fixed in 10.4.0 with commit 6e0922 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation