Stored cross site scripting vulnerability in Save grid option in pimcore dashboard in pimcore/pimcore

Valid

Reported on

Mar 30th 2023


Description

Stored cross site scripting vulnerability in Save grid option in pimcore dashboard.

Proof of Concept

  1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login

  2. On left side menu go to document --> perspective --> cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP

  3. it will take you to customers data select any customer data eg: 1020 or 5020

  4. Now go to dashboard select Grid option drop down select save as copy,

  5. Add name as "><iMg SrC="x" oNeRRor="alert(1);">

  6. click save and check the grip options alert will pop up

// PoC.js

var payload = "><iMg SrC="x" oNeRRor="alert(1);">

Impact

The attacker is capable to stolen the user session cookie. it will leads to complete account takeover.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
Christian F. validated this vulnerability 10 months ago
asura-n has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit aa3831 10 months ago
The fix bounty has been dropped
This vulnerability has now been published 10 months ago
to join this conversation