Pimcore Stored Cross-Site Scripting Vulnerability in Search Document Component

A stored cross-site scripting vulnerability has been identified in Pimcore version 11.4.2. This issue arises in the Search Document component, where the application fails to properly sanitize PDF files uploaded by users. As a result, malicious scripts embedded in the PDFs can be executed in the context of the user's browser when the PDF is viewed. This vulnerability allows for session hijacking, defacement of web pages, and unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed when the affected PDF is viewed, potentially leading to session hijacking and unauthorized access to sensitive information.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the Assets section. Right-click to upload a file and select a malicious PDF that contains embedded scripts. After uploading, search for the document and open it in a new tab. The injected script will execute without authentication, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to update to Pimcore version 11.5.3, where this vulnerability has been patched.