Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Feb 16th 2023


  2. Go to Settings -> Thumbnails -> Video Thumbnails
  3. Click the button (Add Media Segment)
  4. Write : "><img src=x onerror=alert(document.domain)> and then click ok


excute script

We are processing your report and will contact the pimcore team within 24 hours. a month ago
We have contacted a member of the pimcore team and are waiting to hear back a month ago
a month ago


hello they said me is duple with this report. please maintainer checks amazing haha

pimcore/pimcore maintainer has acknowledged this report a month ago
Divesh Pahuja modified the Severity from Critical (9.1) to Medium (4.8) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit b9ba69 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation