CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
Low
EPSS
Percentile
16.2%
Navigating to /admin/index/statistics
with a logged in Pimcore user (not an XmlHttpRequest because of this check: IndexController:125) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.
> The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.
/admin/index/statistics
returns the following JSON-response:
{
{
"instanceId": "...",
"pimcore_major_version": 11,
"pimcore_version": "v11.3.1",
"pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008",
"pimcore_platform_version": "v2024.2",
"php_version": "8.3.8",
"mysql_version": "10.11.8-MariaDB-ubu2204",
"bundles": [
// all installed bundles
],
"tables": [
// all tables and their row count, e.g:
{
"name": "users",
"rows": 2
},
]
}
Information about the Pimcore Version can also be seen here:
In a current Version:
In Pimcore Version 10.6.9:
/admin/index/statistics
Only for logged in Pimcore users possible.
We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok.
This resolves navigating to /admin/index/statistics
.
diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php
--- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (revision dd81ef4c666b18c254333867a60f6ed455025076)
+++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (date 1721225746781)
@@ -15,6 +15,7 @@
namespace Pimcore\Bundle\AdminBundle\Controller\Admin;
+use App\Constant\UserPermission;
use Doctrine\DBAL\Connection;
use Exception;
use Pimcore\Analytics\Google\Config\SiteConfigProvider;
@@ -142,6 +143,12 @@
throw $this->createAccessDeniedHttpException();
}
+ $user = $this->tokenResolver->getUser();
+
+ if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
+ throw $this->createAccessDeniedException();
+ }
+
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11:
<?php
namespace App\EventListener\Admin;
use App\Constant\UserPermission;
use Pimcore\Bundle\AdminBundle\Event\AdminEvents;
use Pimcore\Event\Admin\IndexActionSettingsEvent;
use Pimcore\Security\User\TokenStorageUserResolver;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
/**
* @deprecated and cannot be used in Pimcore 11
*/
class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface
{
public function __construct(private readonly TokenStorageUserResolver $tokenResolver)
{
}
public static function getSubscribedEvents()
{
return [
AdminEvents::INDEX_ACTION_SETTINGS => ['onIndexActionSettingsEvent'],
];
}
public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void
{
$user = $this->tokenResolver->getUser();
if ($user->isAdmin() || $user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
return;
}
$settings = $event->getSettings();
$settings['instanceId'] = '';
$settings['version'] = '';
$settings['build'] = '';
$event->setSettings($settings);
}
}
Vendor | Product | Version | CPE |
---|---|---|---|
pimcore | admin_classic_bundle | * | cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:* |
github.com/advisories/GHSA-fx6j-9pp6-ph36
github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40
github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0
github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
nvd.nist.gov/vuln/detail/CVE-2024-41109