CVE-2022-0704: Cross-site Scripting (XSS) - Stored in pimcore

Description

Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news

Proof of Concept

1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/

2. Go to settings -->data objects --> classes --> Events icon field --> add payload and click save

3. Go to data objects tab which is located at the bottom, go to events folder and extend alert will trigger .

4. payload = “><iMg SrC="x” oNeRRor="alert(1);">

Impact

This vulnerability is capable of stolen the user cookie