Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Mar 9th 2022


Description

pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) Field-Collections in Data Objects

(2) Objectbricks in Data Objects

Proof of Concept (for both 1 & 2)

Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login.

Step 2: Click Settings > Data Objects > Field-Collections / Objectbricks > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the "key" parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 5: Forward the request

You will see the an alert box prompt whenever you access Field-Collections / Objectbricks

Impact

This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
James Yeung modified the report
2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the pimcore team. We will try again in 7 days. 2 months ago
Divesh Pahuja confirmed that a fix has been merged on 6e0922 2 months ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation