# Pimcore Platform v12.3.3 Stored XSS Vulnerability Summary ## Vulnerability Overview * **Vulnerability Name**: Pimcore Platform v12.3.3 – Stored XSS in Document Editable Embed rendering * **Vulnerability Type**: Stored Cross-Site Scripting (Stored XSS) * **CVSS Score**: 4.8 (Medium) * **CVE ID**: CVE-2026-5362 * **Discoverer**: Oscar Naveda (Fluid Attacks AI SAST Scanner) * **Vulnerability Principle**: An attacker with the ability to edit document content can store malicious HTML/JavaScript in the "Document editable" field. When the page is published, the server renders user input directly as trusted HTML without escaping. Specifically, the `Embera::autoEmbed()` function returns the input text as-is when processing unsupported URLs, allowing malicious scripts to execute. ## Impact Scope * **Affected Software**: Pimcore Platform * **Affected Versions**: v12.3.3 * **Prerequisites**: The attacker must have permission to edit document content. * **Impact**: Attackers can inject and execute arbitrary JavaScript code, potentially leading to session hijacking, data theft, or page tampering. ## Remediation * **Current Status**: No official patch is currently available. * **Recommendation**: Wait for the official release of a fixed version, or implement strict input validation and output escaping at the application layer. ## POC Code ### 1. Application-Level POC (HTML Payload) **HTML-only payload:** ```html alert("PIMCORE_EMBED_XSS") ``` **Mixed provider payload:** ```text https://www.youtube.com/watch?v=j---aiyzqGQ alert("PIMCORE_EMBED_XSS") ``` ### 2. Dependency-Level POC (PHP Code) Used to verify the behavior of the underlying `Embera` dependency: ```php $e = new Embera\Embera(); echo $e->autoEmbed('alert(1)'); echo $e->autoEmbed('https://www.youtube.com/watch?v=j---aiyzqGQ alert(1)'); ```