CVE-2023-5844 – pimcore/admin-ui-classic-bundle

Package

Manager: composer
Name: pimcore/admin-ui-classic-bundle
Vulnerable Version: >=0 <1.2.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 2e-05 pctl0.00034

Details

pimcore/admin-ui-classic-bundle Unverified Password Change ### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### Workarounds Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### References https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

Metadata

Created: 2023-10-31T22:23:18Z
Modified: 2023-10-31T22:23:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-6f58-j323-6472/GHSA-6f58-j323-6472.json
CWE IDs: ["CWE-287", "CWE-620"]
Alternative ID: GHSA-6f58-j323-6472
Finding: F039
Auto approve: 1