Headline
CVE-2022-0704: Cross-site Scripting (XSS) - Stored in pimcore
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.4.0.
Description
Cross site scripting vulnerability in pimcore,pimcore field, it is fixed in this commit 832c34 , but still it is executing xss .Icon field in events and news
Proof of Concept
1 . Login to the demo account https://10.x-dev.pimcore.fun/admin/
Go to settings -->data objects --> classes --> Events icon field --> add payload and click save
Go to data objects tab which is located at the bottom, go to events folder and extend alert will trigger .
payload = “><iMg SrC="x” oNeRRor="alert(1);">
Impact
This vulnerability is capable of stolen the user cookie