Cross-site Scripting (XSS) - Stored in pimcore/pimcore

Valid

Reported on

Feb 16th 2023

Description

  1. https://11.x-dev.pimcore.fun/admin/
  2. Go to Settings -> Thumbnails -> Video Thumbnails
  3. Click the button (Add Media Segment)
  4. Write : "><img src=x onerror=alert(document.domain)> and then click ok

Impact

excute script

We are processing your report and will contact the pimcore team within 24 hours. 10 months ago
We have contacted a member of the pimcore team and are waiting to hear back 10 months ago
Pocas
10 months ago

Researcher

hello they said me https://huntr.dev/bounties/ee86781c-3ca9-4dbc-8315-8ee243fb3b2b/ is duple with this report. please maintainer checks amazing haha

pimcore/pimcore maintainer has acknowledged this report 9 months ago
Divesh Pahuja modified the Severity from Critical (9.1) to Medium (4.8) 9 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 9 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit b9ba69 9 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 9 months ago
to join this conversation