cross site scripting in pimcore/pimcore


Reported on

Mar 10th 2023

Pimcore is vulnerable to Cross site scripting vulnerability in classes module.


Step to reproduce:

  1. Navigate to setting > Data Objects > Classes.
  2. Select any classes and add Composite indices.
  3. Add Xss payload on it.

Payload: "><img src=x onerror=alert(document.cookie)>

We are processing your report and will contact the pimcore team within 24 hours. a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
pimcore/pimcore maintainer has acknowledged this report a year ago
Rahul Parmar
a year ago


Any Update?

Divesh Pahuja modified the Severity from High (8.2) to Medium (5.3) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability a year ago
ghostbit11 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.20 with commit 765832 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation