Inclusion of Sensitive Information in Source Code in pimcore/demo

Valid

Reported on

Dec 9th 2021

Description

API Keys is hard coded in the application source code. The use of a hard-coded API Key has many negative implications.

Proof of Concept

            "security" => [
                "method" => "datahub_apikey",
                "apikey" => "6332aa5e6d3d6c0be31da2a8b3442113",
                "skipPermissionCheck" => FALSE

We are processing your report and will contact the pimcore/demo team within 24 hours. 2 years ago

Adam Nygate has invalidated this vulnerability 2 years ago

Reports against demo projects are out-of-scope.

The disclosure bounty has been dropped

The fix bounty has been dropped

Devendra Bhatla

commented 2 years ago

Researcher

Hey Adam, This vulnerability is reported from the github repository and not from the demo project.

Adam Nygate

commented 2 years ago

Admin

As per the README.me, this repository is the "Demo and Blue Print Application for Pimcore"

Jamie Slome

commented 2 years ago

Admin

For reference, I have re-opened the report and set the bounties to $0.

We have contacted a member of the pimcore/demo team and are waiting to hear back 2 years ago

We have sent a follow up to the pimcore/demo team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the pimcore/demo team. We will try again in 10 days. 2 years ago

Divesh Pahuja validated this vulnerability 2 years ago

Devendra Bhatla has been awarded the disclosure bounty

The fix bounty is now up for grabs

Divesh Pahuja marked this as fixed in 10.1.8 with commit 3e2654 2 years ago

Divesh Pahuja has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the pimcore/demo team within 24 hours. 2 years ago

Adam Nygate has invalidated this vulnerability 2 years ago

Reports against demo projects are out-of-scope.

The disclosure bounty has been dropped

The fix bounty has been dropped

Devendra Bhatla

commented 2 years ago

Researcher

Hey Adam, This vulnerability is reported from the github repository and not from the demo project.

Adam Nygate

commented 2 years ago

Admin

As per the README.me, this repository is the "Demo and Blue Print Application for Pimcore"

Jamie Slome

commented 2 years ago

Admin

For reference, I have re-opened the report and set the bounties to $0.

We have contacted a member of the pimcore/demo team and are waiting to hear back 2 years ago

We have sent a follow up to the pimcore/demo team. We will try again in 7 days. 2 years ago

We have sent a second follow up to the pimcore/demo team. We will try again in 10 days. 2 years ago

Divesh Pahuja validated this vulnerability 2 years ago

Devendra Bhatla has been awarded the disclosure bounty

The fix bounty is now up for grabs

Divesh Pahuja marked this as fixed in 10.1.8 with commit 3e2654 2 years ago

Divesh Pahuja has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation