Stored XSS in name parameter of "Static Routes" in pimcore/pimcore
Mar 20th 2023
During testing, I observed that the name parameter of the "Static Routes" functionality is vulnerable to stored XSS.
Proof of Concept
1.Login to https://demo.pimcore.fun/admin/.
2.Now go to Settings -> Static Routes -> Add and Enter the payload:
"><img src=1 onerror=alert(document.domain)> inside the name input field.
3.Then click on update.
4.Now delete the name, you will see XSS will trigger.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.