Stored XSS in name parameter of "Static Routes" in pimcore/pimcore

Valid

Reported on

Mar 20th 2023


Description

During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS.

Proof of Concept

1.Login to https://demo.pimcore.fun/admin/.

2.Now go to Settings -> Static Routes -> Add and Enter the payload: "><img src=1 onerror=alert(document.domain)> inside the name input field.

3.Then click on update.

4.Now delete the name, you will see XSS will trigger.

Video PoC

https://drive.google.com/file/d/1vChnkWZKoNYjn_1HBFsFVDGbo_x1vUjS/view?usp=share_link

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.

References

We are processing your report and will contact the pimcore team within 24 hours. 9 months ago
We have contacted a member of the pimcore team and are waiting to hear back 8 months ago
Pavlos has marked this vulnerability as a duplicate of 41edf190-f6bf-4a29-a237-7ff1b2d048d3 8 months ago

Please add it to the above report as an occurrence. Opening more than 1 report per vulnerability type by circumventing our bundling system can result in a ban.

The disclosure bounty has been dropped
The fix bounty has been dropped
The researcher's credibility has decreased: -5
SAMPRIT DAS
8 months ago

Researcher


Hi @psmoros i have updated the report https://huntr.dev/bounties/41edf190-f6bf-4a29-a237-7ff1b2d048d3/ and added this as occurrence

Divesh Pahuja
7 months ago

Maintainer


Hi @psmoros, we have fixed the reported issue in the product. Is it now possible to validate this and close it to assign CVE?

Same query for: https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6/ https://huntr.dev/bounties/af9c360a-87f8-4e97-a24b-6db675ee942a/

Thanks, Divesh

SAMPRIT DAS
7 months ago

Researcher


@admin can you please re-open the following mentioned reports and let @divesh to validate it?

SAMPRIT DAS
7 months ago

Researcher


Tagging @admin as not getting a response from @psmoros

Pavlos
7 months ago

Admin


on it :)

Ben Harvie
7 months ago

Admin


Reports have been re-opened as requested and scores have been reset. Thanks!

SAMPRIT DAS modified the report
7 months ago
SAMPRIT DAS
7 months ago

Researcher


@benharvie Thanks for re-opening the report

SAMPRIT DAS
7 months ago

Researcher


@dvesh3 @maintainer Now please validate the report and the occurrences.

Divesh Pahuja modified the Severity from Critical (9) to Medium (5.5) 7 months ago
Divesh Pahuja modified the Severity from Medium (5.5) to Medium (6.8) 7 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 7 months ago
SAMPRIT DAS has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit 07a2c9 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja
7 months ago

Maintainer


@admin how can i find the published CVE for this fix? thanks!

SAMPRIT DAS
7 months ago

Researcher


@admin please help

Ben Harvie
7 months ago

Admin


Hi, the CVE is assigned and will update to published shortly. Thanks!

to join this conversation