Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Feb 16th 2023

Description

  1. https://11.x-dev.pimcore.fun/admin/
  2. Go to Settings -> Thumbnails -> Video Thumbnails
  3. Click the button (Add Media Segment)
  4. Write : "><img src=x onerror=alert(document.domain)> and then click ok

Impact

excute script

We are processing your report and will contact the pimcore team within 24 hours. a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
Pocas
a month ago

Researcher

hello they said me https://huntr.dev/bounties/ee86781c-3ca9-4dbc-8315-8ee243fb3b2b/ is duple with this report. please maintainer checks amazing haha

pimcore/pimcore maintainer has acknowledged this report a month ago
Divesh Pahuja modified the Severity from Critical (9.1) to Medium (4.8) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit b9ba69 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation