Cross Site Scripting (XSS) in UrlSlug in pimcore/pimcore


Reported on

Mar 9th 2023


Please enter a description of the vulnerability. Cross Site Scripting (XSS) in UrlSlug of pimcore/pimcore

Its Different than

Proof of Concept

1. Login in stable account URL :
2. Go to System Data ---> UrlSlug
3. Enter Payload in UrlSlug with starting with "/" slash.
4. then go to Content-Master Document , Enter Random Value in Document. 
5. Save & Publish and Hit Apply 
6. Go to SEO & Setting.
For more understanding please check POC.
// PoC.js
var payload = /"><img src=x onerror=alert(document.domain);>


An attacker can use XSS to send a malicious script to an unsuspecting user.


We are processing your report and will contact the pimcore team within 24 hours. 22 days ago
We have contacted a member of the pimcore team and are waiting to hear back 21 days ago
pimcore/pimcore maintainer has acknowledged this report 18 days ago
Divesh Pahuja validated this vulnerability 15 days ago
Onkar_1902 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.19 with commit c59d0b 15 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Divesh Pahuja published this vulnerability 15 days ago
to join this conversation