Pimcore Stored Cross-Site Scripting Vulnerability in Document Embed Editable

A stored cross-site scripting vulnerability has been identified in Pimcore version 12.3.3. This issue allows authenticated attackers with permission to edit documents to inject crafted HTML and JavaScript into an embed editable. When the document is published and viewed, the injected script is executed. The vulnerability arises because the embed editable does not properly sanitize URLs before embedding, allowing arbitrary HTML, including scripts, to be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the published page.

Reproduction

To reproduce this vulnerability, authenticate as a user with permission to edit documents in Pimcore 12.3.3. In the document edit mode, set the embed value to a payload that includes JavaScript, such as a script tag with a JavaScript alert. Save and publish the document, then visit the frontend page containing the editable. The injected script will execute in the browser.