epicosy (5)
Last Login: September 30, 2024
epicosy's Latest (2) Contributions
Technical Analysis
Description
Missing Sanitization of $item->getGroup() (lines 864 and 1269) in fieldcollectionTreeAction/objectbrickTreeAction functions in bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php allows Admin User to perform Source Code Injection through Stored Group Fields (in Object Bricks/Field Collection under settings module) resulting in Information Exposure (cookie theft).
Analysis
What makes this vulnerability stored is that the Group fields (for the listings under Object Bricks or Field Collection in the Settings Module) are saved to the database in the objectbrickUpdateAction function (serves the route /objectbrick-update for the methods {“PUT”, “POST”}).
Example of the PUT request: https://demo.pimcore.com/admin/class/objectbrick-update
That means the patch only mitigates the XSS in the objectbrickTreeAction function (serves the route /objectbrick-tree for the methods={“GET”, “POST”}).
Example of the GET request: https://demo.pimcore.com/admin/class/objectbrick-tree?_dc=1721102886220&grouped=1&node=0
The execution would happen in the Object Bricks/Field Collection listings for Data Objects in the Settings Module (span with class x-tree-node-text in a table with id treeview-record)
Rating
The attack is relatively straightforward (XSS payloads are well documented and relatively easy to craft), requiring low privileges (anyone could access the Demo with privileged permissions and target other active users) and minimal complexity, though user interaction is needed.
The vulnerability can lead to limited data exposure and modification but does not significantly impact availability. Since the Demo resets every two hours (restoring all data to the default state), it is minimally valuable.
Technical Analysis
Entered URL through Draft.js entity data (props.contentState.getEntity(props.entityKey).getData()) in querybook/webapp/lib/richtext/ index.tsx (line 13) misses validation of URL schema using Safelist (‘http:’, ‘https:’), resulting in client-side XSS at <Link to={url} newTab> (line 15), enabling ACE when exploited.
