CVE-2023-49075 – pimcore/admin-ui-classic-bundle

Package

Manager: composer
Name: pimcore/admin-ui-classic-bundle
Vulnerable Version: >=0 <1.2.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00013 pctl0.01337

Details

Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls ### Impact `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the 2 factor credentials. ### Patches Apply patch https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch ### Workarounds Upgrade to version 1.2.2 or apply the [patch](https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch) manually.

Metadata

Created: 2023-11-27T23:23:02Z
Modified: 2023-11-28T17:44:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-9wwg-r3c7-4vfg/GHSA-9wwg-r3c7-4vfg.json
CWE IDs: ["CWE-308"]
Alternative ID: GHSA-9wwg-r3c7-4vfg
Finding: F081
Auto approve: 1