Cross-site Scripting (XSS) - Stored in pimcore/customer-data-framework
Dec 23rd 2021
Stored cross site scripting vulnerability in pimcore app, name and description field field is vulnerable to xss in customer automation rules.
Proof of Concept
1 .login to the account
2 .go to customers --> customer automation rules --> Add payload in name field.
3 .payload "><iMg SrC="x" oNeRRor="alert(1);">
This vulnerability is capable of stolen the user cookie