Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Valid
Reported on
Feb 25th 2022
Description
pimcore is vulnerable to Stored XSS at Title field in the SEO & Settings tab of a Document page.
Payload
"><img src=x onerror=alert(1);>
Step to reproduce
1.Go to https://demo.pimcore.fun/admin/
and login.
2.Click on any document (Home, de,...) in the Documents
3.Go to SEO & Settings tab, in the Title field, input payload "><img src=x onerror=alert(1);>
You will see the XSS popup triggers.
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
We are processing your report and will contact the
pimcore
team within 24 hours.
2 years ago
We have contacted a member of the
pimcore
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
pimcore
team.
We will try again in 7 days.
2 years ago
JiaJia Ji modified the report
2 years ago
settings.js#L79-L83
has been validated
settings.js#L109-L116
has been validated
to join this conversation