Stored html injection on segment name in pimcore/customer-data-framework


Reported on

Jul 26th 2023


I have found an HTML Injection vulnerability on your web application. HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

Note : I am recreating the report as you requested.

Steps to reprduce:

  1. Navigate the urla and and login.
  2. Select perspective --> CDP and click on any user profile
  3. Click Edit ->Segmentation -> Calculated segments (open the folder).
  4. Enter the html payload Segment name field and save it.
  5. Go to the customers option, payload successfully worked.

Proof of Concept


As HTML injection works in email an attacker can trick a victim to click on such hyperlinks to redirect him to any malicious site and also can host a XSS page. All this will surely cause some damage to the victim. This could lead to users being tricked into giving logins away to malicious attackers.

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 2 months ago
aryaantony92 validated this vulnerability 2 months ago
Ramesh A has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ramesh A
2 months ago


@maintainer can you assign a CVE for this vulnerability, please ?

2 months ago


Hi @si13ntr311ik, The issue will be closed and assigned a CVE when the fix is released in a version. Thanks

Divesh Pahuja marked this as fixed in 3.4.2 with commit 72f45d 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation