pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of “Add a new configuration” in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered.
Step 1: Go to https://demo.pimcore.fun/admin/ and login.
Step 2: Click Datahub
Step 3: Click Add Configuration
Step 4: Input aaa so as to capture legitimate request in Burp Suite
Step 5: Modify value of the name parameter in the GET request as below, which is URL encoded
"><img+src%3dx+onerror%3dalert(1)%3b>
Step 6: Forward the request
You will see the an alert box prompt wheenver you access Datahub
This vulnerability is capable for letting attacker potentially steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.