Lucene search
Si13ntr311ikCE852777-2994-40B4-BB4E-C4D10023EEB0HistoryJul 26, 2023 - 4:03 p.m.
Stored html injection on segment name
2023-07-2616:03:09
si13ntr311ik
www.huntr.dev
9
html injection
web application
vulnerability
input point
arbitrary code
segmentation
bounties
EPSS
0.001
Percentile
23.9%
Description
I have found an HTML Injection vulnerability on your web application. HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.
Note : I am recreating the report as you requested.
https://huntr.dev/bounties/b2edcaf2-327d-45fd-9e54-ea4c164466a1/
Steps to reprduce:
- Navigate the urla and https://demo.pimcore.fun/admin and login.
- Select perspective –> CDP and click on any user profile
- Click Edit ->Segmentation -> Calculated segments (open the folder).
- Enter the html payload Segment name field and save it.
- Go to the customers option, payload successfully worked.
Proof of Concept
https://drive.google.com/file/d/1xdzlAsyH-ievhIaRbfXJ0JHTtlix62N2/view?usp=sharing
Related
osv
osv
CVE-2023-4145
2023-08-03 17:15:12
nvd
nvd
CVE-2023-4145
2023-08-03 17:15:12
cve
cve
CVE-2023-4145
2023-08-03 17:15:12
veracode
veracode
Cross-Site Scripting (XSS)
2023-08-05 04:28:47
prion
prion
Cross site scripting
2023-08-03 17:15:00
github
github
cvelist
cvelist