XSS in Translations in pimcore/pimcore

Valid

Reported on

Mar 30th 2023


Description

XSS Vulnerability found in Translations>language.

Proof Of Concept:

POC.png

Steps To Reproduce :

  1. Go to https://11.x-dev.pimcore.fun/admin/ and login.
  2. In the left menu bar, go to Settings > Admin Translation and click on Add button to add a new record.
  3. Now click on translate. Add XSS payload in any language.
h"><img src=x onerror=alert(document.domain);>
  1. Now click on edit as HTML.

Impact

Execute Javascript code on victim browsers and potentially steal cookies to takeover their account.

We are processing your report and will contact the pimcore team within 24 hours. a year ago
pimcore/pimcore maintainer modified the report
a year ago
pimcore/pimcore maintainer modified the report
a year ago
pimcore/pimcore maintainer modified the report
a year ago
pimcore/pimcore maintainer modified the report
a year ago
pimcore/pimcore maintainer modified the report
a year ago
We have contacted a member of the pimcore team and are waiting to hear back a year ago
Christian F. validated this vulnerability 10 months ago
70rpedo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
pimcore/pimcore maintainer
10 months ago

Thanks

Divesh Pahuja marked this as fixed in 10.5.21 with commit 7e32cc 9 months ago
The fix bounty has been dropped
This vulnerability has now been published 9 months ago
to join this conversation