Lucene search
Chucsse2A3A13FE-2A9A-4D1A-8814-FD8ED1E3B1D5HistoryMay 07, 2023 - 5:54 p.m.
Stored XSS in module name "Edit Link"
2023-05-0717:54:16
chucsse
www.huntr.dev
11
xss
stored
edit link
input filtering
proof of concept
video poc
EPSS
0.001
Percentile
33.2%
Description
I noticed that you filtered the input very carefully.
But there are still some parts you missed
Proof of Concept
1.Login in URL : https://demo.pimcore.fun/admin.
2.Go to “Search Documents” and filter only “Snippet” search and press search.
3.Go to “/en/shared/teasers/Popular Brands”.
4.In the Edit section, press the “Edit Link” icon and edit the “Text” section -> enter the following xss:
<img src>
5.Save and the xss has been executed.
Video PoC
https://drive.google.com/file/d/18LNVcoZsluPMWb_VvHJkI_iKtpES_iLV/view?usp=sharing
Related
nvd
nvd
CVE-2023-3822
2023-07-21 15:15:10
veracode
veracode
Cross-site Scripting (XSS)
2023-07-25 11:12:36
github
github
Pimcore Cross-site Scripting vulnerability
2023-07-21 15:30:32
osv
osv
CVE-2023-3822
2023-07-21 15:15:10
Pimcore Cross-site Scripting vulnerability
2023-07-21 15:30:32
prion
prion
Cross site scripting
2023-07-21 15:15:00
cve
cve
CVE-2023-3822
2023-07-21 15:15:10
cvelist
cvelist
CVE-2023-3822 Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
2023-07-21 14:52:05