Inclusion of Sensitive Information in Source Code in pimcore/demo

Valid

Reported on

Dec 9th 2021


Description

API Keys is hard coded in the application source code. The use of a hard-coded API Key has many negative implications.

Proof of Concept

            "security" => [
                "method" => "datahub_apikey",
                "apikey" => "6332aa5e6d3d6c0be31da2a8b3442113",
                "skipPermissionCheck" => FALSE
We are processing your report and will contact the pimcore/demo team within 24 hours. a year ago
Adam Nygate has invalidated this vulnerability a year ago

Reports against demo projects are out-of-scope.

The disclosure bounty has been dropped
The fix bounty has been dropped
Devendra Bhatla
a year ago

Researcher


Hey Adam, This vulnerability is reported from the github repository and not from the demo project.

Adam Nygate
a year ago

Admin


As per the README.me, this repository is the "Demo and Blue Print Application for Pimcore"

Jamie Slome
a year ago

Admin


For reference, I have re-opened the report and set the bounties to $0.

We have contacted a member of the pimcore/demo team and are waiting to hear back a year ago
We have sent a follow up to the pimcore/demo team. We will try again in 7 days. a year ago
We have sent a second follow up to the pimcore/demo team. We will try again in 10 days. a year ago
Divesh Pahuja validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Divesh Pahuja marked this as fixed in 10.1.8 with commit 3e2654 a year ago
Divesh Pahuja has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation