Stored XSS in Tooltip in pimcore/pimcore

Valid

Reported on

Mar 23rd 2022


Description

The Classes in Data Objects have the Tooltip field. It is vulnerable to XSS attack.

Proof of Concept

STEP1: login https://demo.pimcore.fun/admin/ STEP2: Settings->Data Objects->Classes. Then choose an item, like product Data->AccessoryPart (AP)->compatibleTo。 STEP3: add payload in tooltip field. <img src onerror=alert(1)> .then save. alt text STEP4: Open a AccessoryPart type Data Objects, and move the cursor on the Compatible To filed to trigger the event. alt text

all the item contains tooltip field is vulnerable to the attack.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 2 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
Divesh Pahuja
2 months ago

@mylong Hi, Pimcore comes with generic XSS protection handler, which is implemented on https://10.x-dev.pimcore.fun/admin. please try to reproduce the problem on master demo instance.

mylong
2 months ago

Researcher


seems the csp works. since unpkg is in the whitelist. I can temporary use the following way to bypass the csp. STEP1: image-20220405175545330 STEP2: image-20220405175637005 POC: <Iframe SrcDoc="<Script Src=https://unpkg.com/angular@1.6.0/angular.min.js></Script><K Ng-App>{{$new.constructor('alert(1)')()}}">

Divesh Pahuja validated this vulnerability a month ago
mylong has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja confirmed that a fix has been merged on 8c39a8 a month ago
Divesh Pahuja has been awarded the fix bounty
to join this conversation