GHSA-xr3m-6gq6-22cg
Vulnerability from github
Published
2025-01-28 19:12
Modified
2025-11-04 19:52
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Summary
Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
Details

Summary

A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.

Details

The vulnerability is present in the PDF upload functionality of the PIM Core Upload module. When a user uploads a PDF file, the application fails to properly sanitize the content, allowing embedded scripts to be executed when the PDF is viewed. The affected code is located in the file handling and rendering logic of the PDF upload feature.

PoC

  1. Log in as Administrator image

  2. Hover to Assets image

  3. Right click and click "Add Asset(s) > upload files image

  4. Upload malicious pdf image

  5. Click on search and select document image

  6. copy the path and open to a new tab

https://demo.pimcore.fun/admin/Sample C

image

  1. XSS PDF can be access without authentication.

image

Image showing no cookies indicator that there are no session currently in

image

Impact

This is a Stored Cross-Site Scripting (XSS) vulnerability. It impacts any user who views the malicious PDF, potentially leading to session hijacking, defacement of web pages, or unauthorized access to sensitive information. The severity is high due to the potential for significant impact on confidentiality and integrity.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/pimcore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.4.2"
            },
            {
              "fixed": "11.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-11954"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-28T19:12:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n \nA Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user\u0027s browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.\n \n### Details\n \nThe vulnerability is present in the PDF upload functionality of the PIM Core Upload module. When a user uploads a PDF file, the application fails to properly sanitize the content, allowing embedded scripts to be executed when the PDF is viewed. The affected code is located in the file handling and rendering logic of the PDF upload feature.\n \n### PoC\n \n\n \n1. Log in as Administrator\n![image](https://github.com/user-attachments/assets/7945bbd7-5277-4a0e-8365-56e5df319bae)\n\n2. Hover to Assets\n![image](https://github.com/user-attachments/assets/f24645ee-d740-4a5e-81d1-b8bf48b71cce)\n\n \n3. Right click and click \"Add Asset(s) \u003e upload files\n![image](https://github.com/user-attachments/assets/0603cc90-44d8-423e-a01c-b0367fd929bd)\n\n \n4. Upload malicious pdf\n![image](https://github.com/user-attachments/assets/51aa609d-f100-4f46-b3bb-3d730e000a02)\n\n \n5. Click on search and select document\n![image](https://github.com/user-attachments/assets/7e945b26-4f8a-4e91-adea-8f46a0f17856)\n\n \n6. copy the path and open to a new tab \n\n[https://demo.pimcore.fun/admin/Sample C](https://demo.pimcore.fun/Sample%20Content/Documents/xssmaeitsec.pdf)\n \n![image](https://github.com/user-attachments/assets/500d49d6-42f7-4b64-8b01-117f439ace8d)\n\n7. XSS PDF can be access without authentication. \n\n \n![image](https://github.com/user-attachments/assets/7fb53fc2-2f65-42b3-9ed7-fc0413211a3f)\n\n Image showing no cookies indicator that there are no session currently in\n \n![image](https://github.com/user-attachments/assets/89f58fff-0dee-4520-9071-efd024c2f6d3)\n\n### Impact\nThis is a Stored Cross-Site Scripting (XSS) vulnerability. It impacts any user who views the malicious PDF, potentially leading to session hijacking, defacement of web pages, or unauthorized access to sensitive information. The severity is high due to the potential for significant impact on confidentiality and integrity.",
  "id": "GHSA-xr3m-6gq6-22cg",
  "modified": "2025-11-04T19:52:44Z",
  "published": "2025-01-28T19:12:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-xr3m-6gq6-22cg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11954"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/pimcore"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.293905"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.