Multiple Stored XSS in name parameter of "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" in pimcore/pimcore

Valid

Reported on

Mar 20th 2023


Description

The name parameter of the "Pricing Rules", "Predefined Properties", "Customers Reports" & "Static Routes" functionality is vulnerable to Stored XSS.

Proof of Concept

1.Login to https://demo.pimcore.fun/admin/.

2.Now go to Online Shop -> Pricing Rules -> Add and  Enter the name of the new item.

3.Then capture the request on the burp suite and modify the name parameter value with xss payload: ```"><img src=1 onerror=alert(1337);> or "><img src=1 onerror=alert(document.domain);>``` and forward the request.

4.Now xss will trigger.

Video PoC

https://drive.google.com/file/d/1caoStWr0Ex08j0cmqCSiwyjpCQgYSR6j/view?usp=share_link
https://drive.google.com/file/d/1vChnkWZKoNYjn_1HBFsFVDGbo_x1vUjS/view?usp=share_link
https://drive.google.com/file/d/1WNdLQ-vjcfPWG4k24MMBkknTocPgCSLB/view?usp=share_link
https://drive.google.com/file/d/1kQjTzLNpuzZRySUt19IBn3T7ABvMRxem/view?usp=share_link

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

References

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
SAMPRIT DAS modified the report
a year ago
SAMPRIT DAS modified the report
a year ago
SAMPRIT DAS
a year ago

Researcher


Hi, team any update?

pimcore/pimcore maintainer has acknowledged this report a year ago
SAMPRIT DAS
a year ago

Researcher


Hi, team any update?

SAMPRIT DAS
10 months ago

Researcher


@dvesh3 Any update on this report?

Bernhard Rusch
10 months ago

Yes, we're on it - thanks for the reminder!

SAMPRIT DAS
10 months ago

Researcher


@brusch Okay thanks

Bernhard Rusch modified the Severity from Critical (9) to Medium (6.8) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Bernhard Rusch validated this vulnerability 10 months ago
sampritdas8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit e88fa7 10 months ago
The fix bounty has been dropped
This vulnerability has now been published 10 months ago
to join this conversation