CVE-2018-14059

Vulnerability

Pimcore versions 5.2.3 and below contain multiple stored cross-site scripting (XSS) vulnerabilities in virtually all text input fields across the Users, Assets, Data Objects, Video Thumbnails, Image Thumbnails, Field-Collections, Objectbrick, Classification Store, Document Types, Predefined Properties, Predefined Asset Metadata, Quantity Value, and Static Routes functions [2][4]. The vendor acknowledged the issue but stated that these XSS vulnerabilities would not be fixed at that time [2][4].

Exploitation

An attacker must first obtain valid authentication credentials to the Pimcore backend. With those credentials, the attacker can craft malicious JavaScript payloads and insert them into any of the mentioned text fields via the usual administrative forms. The payload is then stored on the server and executed in the browser of any authenticated user who views the affected page [2][4].

Impact

Successful exploitation leads to persistent execution of arbitrary JavaScript code in the context of the victim's session. This can result in theft of session cookies, defacement, or unauthorized actions performed on behalf of the victim, potentially compromising the entire Pimcore instance [2][4].

Mitigation

According to available references, the vendor did not provide a fix for these XSS issues in version 5.3.0; the advisory explicitly states that "XSS will not be fixed according to the vendor" [2][4]. No workaround is documented in the public advisories. Organizations still running Pimcore 5.2.3 or earlier should apply general input sanitization, restrict administrative access, and consider upgrading to a later version of Pimcore that may have addressed this class of vulnerability outside the scope of the original report.