Description

pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) the Pricing Rule of Online Shop in EcommerceFrameworkBundle. Whenever an admin user access Pricing Rule, a stored XSS will be triggered.

(2) Image Thumbnails in Settings. Whenever an admin user access Image Thumbnails, a stored XSS will be triggered.

(3) Video Thumbnails in Settings. Whenever an admin user access Video Thumbnails, a stored XSS will be triggered.

Proof of Concept for 1

Step 1: Go to https://demo.pimcore.fun/admin/ and login.

Step 2: Click File > Perspective > Commerce on the left

Step 3: Click Online Shop > Pricing Rule on the left

Step 4: Click Add to add pricing rule

Step 5: Input aaa so as to capture legitimate POST request in Burp Suite

Step 6: Modify value of the name parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 7: Forward the request

You will see the an alert box prompt whenever you access Pricing Rule

Proof of Concept for 2 & 3

Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login.

Step 2: Click Settings > Thumbnails > Image / Video Thumbnails > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the name parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 5: Forward the request

You will see the an alert box prompt whenever you access Image Thumbnail / Video Thumbnail

Impact

This vulnerability is capable for letting attacker potentially steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.