CVE-2022-0509

Description

The pimcore/pimcore package is an open source platform that provides PIM, MDM, CDP, DAM, DXP/CMS & Digital Commerce services. stored xss vulnerability occurs when you change the value of name at “Setinngs” => “Website Settings” in the pimcore service.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
                 border:false,
layout:"fit",
closable:true,
- items:[this.getRowEditor()]
+ items:[this.getRowEditor()],
});

var tabPanel = Ext.getCmp("pimcore_panel_tabs");
@@ -133,6 +133,7 @@ pimcore.settings.website = Class.create({
dataIndex: 'data',
flex: 300,
editable: true,
+ editor: new Ext.form.TextField({}),
renderer: this.getCellRenderer.bind(this),
},
{text: t("site"), flex: 100, sortable:true, dataIndex: "siteId",
@@ -303,7 +304,10 @@ pimcore.settings.website = Class.create({
bodyCls: "pimcore_editable_grid",
stripeRows:true,
columns : {
+ items: typesColumns
+ items: typesColumns,
+ defaults: {
+ renderer: Ext.util.Format.htmlEncode
+ },
},
sm: Ext.create('Ext.selection.RowModel', {}),
bbar:this.pagingtoolbar,
@@ -359,15 +363,23 @@ pimcore.settings.website = Class.create({
},

getCellEditor: function (record) {
- var data = record.data;
+ let data = record.data;

- var type = data.type;
- var property;
+ let type = data.type;
+ let property;

if (type === "text") {
- property = Ext.create('Ext.form.TextField');
+ property = {
+ xtype: 'textfield',
+ flex: 1,
+ value: data.data
+ }
} else if (type == "textarea") {
- property = Ext.create('Ext.form.TextArea');
+ property = {
+ xtype: "textarea",
+ flex: 1,
+ value: data.data
+ }
} else if (type == "document" || type == "asset" || type == "object") {
property = {
xtype: 'textfield',

The pimcore developer patched this vulnerability by adding multiple logic as above to set the logic to encode html code to url.


Proof of Concept

1
2
3
4
5
6
7
8
XSS POC : "><img src=x onerror=alert(document.domain)>

1. Open the https://10.x-dev.pimcore.fun/admin/login?perspective=
2. After login, Go to "Setinngs" => "Website Settings"
3. Change the value of name to XSS PoC
4. Reflesh

Video : https://www.youtube.com/watch?v=k-aQ4RpJ1Po

Reporting Timeline

  • 2022-01-27 00h 40m : Reported this issue via the huntr
  • 2022-02-07 20h 26m : Validated this issue by Bernhard Rusch
  • 2022-02-07 23h 25m : Patched this issue by Bernhard Rusch
  • 2022-02-07 23h 25m : Assigned a CVE-2022-0509

Reference