XSS in button home page in pimcore/pimcore

Valid

Reported on

Feb 23rd 2023

Description

vuln was find in File/Documents/Home , any button in page

Proof of Concept

1. Login in  URL : https://demo.pimcore.fun/admin
2. Go to File -> Open Documents -> Home
3. click any button in page -> Edit Link  
4. in tab Advanced, inject payload to : ```Attributes (key="value")```

For more understanding please check POC.
// PoC.js
var payload = \'><details/open/ontoggle=confirm(document.domain)>
POC : https://drive.google.com/file/d/110JMIEA_ngdVB-k5cM9wnX8p7KtW7npD/view?usp=share_link

Impact

An attacker can use XSS to send a malicious script to any user.

We are processing your report and will contact the pimcore team within 24 hours. a month ago

We have contacted a member of the pimcore team and are waiting to hear back a month ago

A pimcore/pimcore maintainer has acknowledged this report 23 days ago

Divesh Pahuja validated this vulnerability 21 days ago

HMs has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 10.5.18 with commit c6368b 21 days ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 21 days ago

to join this conversation