Cross site scripting on the login page in pimcore/pimcore


Reported on

Mar 22nd 2023


Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

URL encoded GET input too_many_attempts was set to Too many failed login attempts, please try again in 5 minutes.'"()%26%25<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>

Proof of Concept;left:0;top:0;width:9999px;height:9999px;%22%3E%3C/div%3E


Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

We are processing your report and will contact the pimcore team within 24 hours. 6 months ago
We have contacted a member of the pimcore team and are waiting to hear back 6 months ago
Anas Boulbali
6 months ago



would you have any updates regarding this XSS

Kind regards

Christian F. modified the Severity from High (8.6) to High (7.3) 5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Christian F. validated this vulnerability 5 months ago
Anas Boulbali has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Anas Boulbali
5 months ago


To sanitize this code and prevent XSS vulnerabilities, you can use the htmlspecialchars function to escape any special characters in the input value before assigning it to the $params array. Here's an example: if ($request->get('too_many_attempts')) { $params['error'] = htmlspecialchars($request->get('too_many_attempts'), ENT_QUOTES, 'UTF-8'); } This will convert any special characters in the input string to their corresponding HTML entities, preventing them from being interpreted as code by the browser. The ENT_QUOTES flag is used to escape both single and double quotes, and the 'UTF-8' encoding ensures that the function works correctly with non-ASCII characters.

Anas Boulbali
5 months ago


Hello Christian,

Can you please assign it a CVE ?

Kind regards

Divesh Pahuja marked this as fixed in 10.5.21 with commit 66f108 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 5 months ago
to join this conversation