GHSA-xr3m-6gq6-22cg
HIGHPimcore Authenticated Stored Cross-Site Scripting (XSS) Via Search Document
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
pimcore/pimcoreReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
A Stored Cross-Site Scripting (XSS) vulnerability in PIMCORE allows remote attackers to inject arbitrary web script or HTML via the PDF upload functionality. This can result in the execution of malicious scripts in the context of the user's browser when the PDF is viewed, leading to potential session hijacking, defacement of web pages, or unauthorized access to sensitive information.
Details
The vulnerability is present in the PDF upload functionality of the PIM Core Upload module. When a user uploads a PDF file, the application fails to properly sanitize the content, allowing embedded scripts to be executed when the PDF is viewed. The affected code is located in the file handling and rendering logic of the PDF upload feature.
PoC
-
Log in as Administrator
-
Hover to Assets
-
Right click and click "Add Asset(s) > upload files
-
Upload malicious pdf
-
Click on search and select document
-
copy the path and open to a new tab
https://demo.pimcore.fun/admin/Sample C
- XSS PDF can be access without authentication.
Image showing no cookies indicator that there are no session currently in
Impact
This is a Stored Cross-Site Scripting (XSS) vulnerability. It impacts any user who views the malicious PDF, potentially leading to session hijacking, defacement of web pages, or unauthorized access to sensitive information. The severity is high due to the potential for significant impact on confidentiality and integrity.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | pimcore/pimcore | ≥ 11.4.2&&< 11.5.3 | 11.5.3 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Pimcore 11.4.2 - Stored cross site scripting
by maeitsec · Apr 14, 2025
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pimcore/pimcore. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update pimcore/pimcore to 11.5.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xr3m-6gq6-22cg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xr3m-6gq6-22cg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xr3m-6gq6-22cg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xr3m-6gq6-22cg in your dependencies?
O3 detects GHSA-xr3m-6gq6-22cg across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.