Authenticated Stored Cross-Site Scripting (XSS) Via Search Document

vendor:

Pimcore

by:

maeitsec

6.1

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: Pimcore

Affected Version From: Pimcore 10.5.x

Affected Version To: Pimcore 10.5.20

Patch Exists: YES

Related CWE: CVE-2024-11954

CPE: a:pimcore:pimcore

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 20.04

2025

Authenticated Stored Cross-Site Scripting (XSS) Via Search Document

An authenticated stored Cross-Site Scripting (XSS) vulnerability was found in Pimcore's Data Object Classification Store feature. This vulnerability occurs due to inadequate input filtering, enabling an authenticated attacker having access to the classification store to insert harmful JavaScript code. When other users view the impacted data, this injected code runs within their browser context.

Mitigation:

To mitigate this vulnerability, users should update Pimcore to version 10.5.21 or 11.1.1, where the issue has been resolved. Additionally, input sanitization measures should be implemented to filter out malicious code.

Source

Exploit-DB raw data:

# Exploit Title: Authenticated Stored Cross-Site Scripting (XSS) Via Search
Document
# Google Dork: N/A
# Date: 1/28/2025
# Exploit Author: maeitsec
# Vendor Homepage: https://pimcore.com/
# Software Link: https://github.com/pimcore/pimcore
# Version: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1)
# Tested on: Pimcore 10.5.20 on Ubuntu 20.04
# CVE:  CVE-2024-11954

---

### Description:
A stored Cross-Site Scripting (XSS) vulnerability exists in Pimcore's Data
Object Classification Store functionality. The vulnerability arises due to
insufficient input sanitization, allowing an authenticated attacker with
access to the classification store to inject malicious JavaScript code.
This code is then executed in the context of other users' browsers when
they view the affected data.

### Proof of Concept (PoC):
1. Log in to the Pimcore backend as a user with access to the Data Object
Classification Store.
2. Navigate to the Classification Store and create or edit a key.
3. Inject the following payload into the key value:
   ```html
   <script>alert('XSS')</script>
4. Save the file and view it in the frontend or backend. The JavaScript
alert will execute, demonstrating the vulnerability.