XSS in button home page in pimcore/pimcore

Valid

Reported on

Feb 23rd 2023


Description

vuln was find in File/Documents/Home , any button in page

Proof of Concept

1. Login in  URL : https://demo.pimcore.fun/admin
2. Go to File -> Open Documents -> Home
3. click any button in page -> Edit Link  
4. in tab Advanced, inject payload to : ```Attributes (key="value")```

For more understanding please check POC.
// PoC.js
var payload = \'><details/open/ontoggle=confirm(document.domain)>
POC : https://drive.google.com/file/d/110JMIEA_ngdVB-k5cM9wnX8p7KtW7npD/view?usp=share_link

Impact

An attacker can use XSS to send a malicious script to any user.

We are processing your report and will contact the pimcore team within 24 hours. 3 months ago
We have contacted a member of the pimcore team and are waiting to hear back 3 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
HMs has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit c6368b 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation