Cross-site Scripting (XSS) - Stored in pimcore/pimcore


Reported on

Feb 16th 2023


  2. Go to Settings -> Thumbnails -> Video Thumbnails
  3. Click the button (Add Media Segment)
  4. Write : "><img src=x onerror=alert(document.domain)> and then click ok


excute script

We are processing your report and will contact the pimcore team within 24 hours. 10 months ago
We have contacted a member of the pimcore team and are waiting to hear back 10 months ago
10 months ago


hello they said me is duple with this report. please maintainer checks amazing haha

pimcore/pimcore maintainer has acknowledged this report 9 months ago
Divesh Pahuja modified the Severity from Critical (9.1) to Medium (4.8) 9 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Divesh Pahuja validated this vulnerability 9 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Divesh Pahuja marked this as fixed in 10.5.18 with commit b9ba69 9 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 9 months ago
to join this conversation