XSS in Schedule tab of Documents in pimcore/pimcore
Mar 8th 2023
pimcore is vulnerable to XSS at Time field in Schedule tab of Document.
"><img src=x onerror=alert(document.domain);>
Proof of Concept
https://demo.pimcore.fun/admin/ and login.
2.In Documents, go to home -> click on Schedule icon to go to this tab.
3.In the Schedule tab, input the payload
"><img src=x onerror=alert(document.domain);> into the Time field and press enter.
4.Click on that input field again and keep the mouse pointer hovers on it, you will see the XSS popup triggers.
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites.