Description

Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept

1- go to https://demo.pimcore.com/admin/login
2- login with demo user credentials [ Username: superuser Password: enterprisedemo ]
3- Now login and click on -> "superuser | My Profile".
4- Go to change password now put old password as new password and click save.

PoC

video PoC: https://drive.google.com/file/d/1eIRl5ilXDgQlz8AkZjqT9wn0irTCMcp8/view?usp=drive_link