Lucene search

GitHub_MCVE-2024-41109

HistoryJul 30, 2024 - 3:15 p.m.

CVE-2024-41109

2024-07-3015:15:12

CWE-200

GitHub_M

web.nvd.nist.gov

pimcore

admin classic bundle

sensitive information

vulnerability

fixed

version 1.5.2

version 1.4.6

version 1.3.10

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

AI Score

6.1

Confidence

High

EPSS

Percentile

16.2%

JSON

Pimcore’s Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to /admin/index/statistics with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10.

Affected configurations

Vulners

Vulnrichment

Node

pimcoreadmin_classic_bundleRange<1.5.2pimcore

VendorProductVersionCPE
pimcoreadmin_classic_bundle*cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*

Vendor	Product	Version	CPE
pimcore	admin_classic_bundle	*	cpe:2.3:a:pimcore:admin_classic_bundle::::::pimcore::*

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "admin-ui-classic-bundle",
    "versions": [
      {
        "version": "< 1.5.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40

github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0

github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2

github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36