Description

pimcore datahub is vulnerable to Stored XSS in the Unique Indetifier of the function of “Add a new configuration” in Datahub. Whenever an admin user access data hub, a stored XSS will be triggered.

Proof of Concept

Step 1: Go to https://demo.pimcore.fun/admin/ and login.

Step 2: Click Datahub

Step 3: Click Add Configuration

Step 4: Input aaa so as to capture legitimate request in Burp Suite

Step 5: Modify value of the name parameter in the GET request as below, which is URL encoded

"><img+src%3dx+onerror%3dalert(1)%3b>

Step 6: Forward the request

You will see the an alert box prompt wheenver you access Datahub

Impact

This vulnerability is capable for letting attacker potentially steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.