Stored XSS in Tooltip in pimcore/pimcore
Mar 23rd 2022
The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack.
Proof of Concept
STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings->Data Objects->Classes. Then choose an item, like product Data->AccessoryPart (AP)->compatibleTo。 STEP3: add payload in tooltip field. <img src onerror=alert(1)> .then save. STEP4: Open a AccessoryPart type Data Objects, and move the cursor on the Compatible To filed to trigger the event.
all the item contains tooltip field is vulnerable to the attack.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.