Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration in pimcore/pimcore

Valid

Reported on

Mar 30th 2023

Description

Stored cross site scripting vulnerability in operator any getter in pimcore grid configuration.

Proof of Concept

  1. Login to the demo account https://11.x-dev.pimcore.fun/admin/login

  2. On left side menu go to document --> perspective --> cdp https://11.x-dev.pimcore.fun/admin/?perspective=CDP

  3. it will take you to customers data select any customer data eg: 1020 or 5020

  4. Now go to dashboard select Grid option

  5. select left side menu Extactor --> Getter --> operate Any Getter

  6. it opens settings window

  7. now add payload in Label or Attribute or Parameter

  8. click save and share fill the form

    click save and check the grid options which you saved earlier alert will pop up

// PoC.js var payload = "><iMg SrC="x" oNeRRor="alert(1);">



# Impact

The attacker is capable to stolen the user session cookie. it will leads to complete account takeover.

Occurrences

We are processing your report and will contact the pimcore team within 24 hours. 8 months ago
We have contacted a member of the pimcore team and are waiting to hear back 8 months ago
Christian F. validated this vulnerability 7 months ago
Asura-N has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.21 with commit 6946f8 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 7 months ago
AnyGetter.php#L61-L65 has been validated
to join this conversation