CVE-2022-0911: Cross-site Scripting (XSS) - Stored in pimcore

Description

pimcore datahub is vulnerable to Stored XSS in multiple places including:

(1) Field-Collections in Data Objects

(2) Objectbricks in Data Objects

Proof of Concept (for both 1 & 2)

Step 1: Go to https://10.x-dev.pimcore.fun/admin/ and login.

Step 2: Click Settings > Data Objects > Field-Collections / Objectbricks > Add

Step 3: Input aaa so as to capture legitimate POST request in Burp Suite

Step 4: Modify value of the “key” parameter in the body of POST request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(document.domain)>

Step 5: Forward the request

You will see the an alert box prompt whenever you access Field-Collections / Objectbricks

Impact

This vulnerability is capable for letting attacker potentially steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.