HTML Injection / Possible XSS in pimcore/admin-ui-classic-bundle

Valid

Reported on

Jun 3rd 2023

Description

In pimcore I was able to identify a Unauthenticated HTML Injection / XSS Possible.

Conditions: 2 factor authentication must not set before

 Vulnerable Endpoint: http://localhost/admin/login/2fa-setup

 Vulnerable Param: error=

How it works, So basically any admin, who has not setup 2 factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts / HTML Contents.

Another potential attack vector, as it's a 2fa page and it has QR Code, attacker can replace this QR Code with something he has, leading to increase threat to the admin.

Proof of Concept

http://localhost/admin/login/2fa-setup?error=%3C/div%3E%3Ca%20href=%22https://www.evil.com%22%3EVisit%20Login%20Here%3C/a%3E

http://localhost/admin/login/2fa-setup?error=%3C/div%3E%3Cimg%20src=%22https://static.wikia.nocookie.net/gaianipedia/images/9/9b/Hacked.png%22%20alt=%22Girl%20in%20a%20jacket%22%20width=%22700%22%20height=%22200%22%3E

http://localhost/admin/login/2fa-setup?error=%3C/div%3E%3C/body%3E%3Cmarquee%20width=1000%20loop=7%20onfinish=alert(1)%3EYOU%20HAVE%20BEEN%20HACKED%20THROUGH%20XSS%3C/marquee%3E

Impact

This attack can be used to execute arbitrary scripts or HTML Injection, causing the target application to execute these resulting in cookie steeling, defacement or Injecting phishing URLs on the target application.

We are processing your report and will contact the pimcore/admin-ui-classic-bundle team within 24 hours. 6 months ago
We have contacted a member of the pimcore/admin-ui-classic-bundle team and are waiting to hear back 6 months ago
Hacker_Universe modified the report
6 months ago
Hacker_Universe
6 months ago

Researcher

any updates? anyone?

pimcore/admin-ui-classic-bundle maintainer has acknowledged this report 6 months ago
Hacker_Universe
5 months ago

Researcher

no actions?

aryaantony92 validated this vulnerability 5 months ago
Hacker_Universe has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja
5 months ago

Maintainer

Hi @hackeruniverse Unfortunately this is reported for wrong repository and affected version. the correct repo is pimcore/admin-ui-classic-bundle and correct affected version is 1.0.0

@admin please help :)

Hacker_Universe
5 months ago

Researcher

Hi @dvesh3, isn't it shipped together with pimcore? I can find AdminBundle in Pimcore 10.6 https://github.com/pimcore/pimcore/tree/10.6/bundles/AdminBundle/Controller/Admin

Divesh Pahuja
5 months ago

Maintainer

It was refactored on v11.0 to an external bundle pimcore/admin-ui-classic-bundle and the issue appeared due to regression of the refactoring. This is the reason it is only fixed on the latest version of the bundle.

It shouldn't be the case with 10.6 version of pimcore/pimcore.

Ben Harvie
5 months ago

Admin

Affected version updated as requested, thanks!

Divesh Pahuja
5 months ago

Maintainer

Hi @admin thanks your help. The repo also needs to be updated to pimcore/admin-ui-classic-bundle

Ben Harvie
5 months ago

Admin

Sorry I missed that one, all sorted now:)

Divesh Pahuja
5 months ago

Maintainer

thank you :)

Divesh Pahuja marked this as fixed in 1.0.3 with commit 5fcd19 5 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Divesh Pahuja published this vulnerability 5 months ago
Hacker_Universe
5 months ago

Researcher

Hi @admin, can i know why the disclosure bounty got dropped?

to join this conversation