Cross site scripting on the login page in pimcore/pimcore
Mar 22nd 2023
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
URL encoded GET input too_many_attempts was set to Too many failed login attempts, please try again in 5 minutes.'"()%26%25<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>
Proof of Concept