CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
24.2%
As old password can be set as new password , it is considered as password policy violation.
Pimcore is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
Update to version 1.2.0 or apply this patches manually
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch
https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/
Vendor | Product | Version | CPE |
---|---|---|---|
pimcore | admin_classic_bundle | * | cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:* |
github.com/advisories/GHSA-6f58-j323-6472
github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-6f58-j323-6472
huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021
nvd.nist.gov/vuln/detail/CVE-2023-5844
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
24.2%