XSS in Predefined Asset Metadata module in Settings in pimcore/pimcore

Valid

Reported on

Mar 13th 2023

Description

While testing the pimcore application, I found that it is vulnerable to XSS vulnerability in Predefined Asset Metadata module in Settings, specifically at Name field.

Proof of Concept

1.Go to https://11.x-dev.pimcore.fun/admin/ then login.
2.Go to Settings -> Predefined Asset Metadata and add a new definition.
3.Change the New Definition to the payload "><img src=x onerror=alert(document.domain);> at the Name field.
4.Click on delete icon (X) of that property, you will see the XSS popup triggers.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

We are processing your report and will contact the pimcore team within 24 hours. 2 months ago
We have contacted a member of the pimcore team and are waiting to hear back 2 months ago
pimcore/pimcore maintainer has acknowledged this report 2 months ago
Kan09 submitted a
patch
2 months ago
Kan09 submitted a
patch
2 months ago
Divesh Pahuja validated this vulnerability 2 months ago
Kan09 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.20 with commit 2b9977 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 2 months ago
to join this conversation