Admin Classic Bundle Security Vulnerabilities
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vul...
6.1CVSS
6.6AI Score
0.001EPSS
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including β%sβ (from β%suggest%) is parsed by sprintf() even though itβs supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall acce...
5.4CVSS
5.3AI Score
0.0004EPSS
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users...
6.1CVSS
6.1AI Score
0.001EPSS
The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the pag...
5.3CVSS
5.5AI Score
0.001EPSS
The Admin Classic Bundle provides a Backend UI for Pimcore. AdminBundle\Security\PimcoreUserTwoFactorCondition introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentia...
8.4CVSS
6.9AI Score
0.001EPSS
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
7.2CVSS
5.5AI Score
0.001EPSS
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter selectedIds is susceptible to SQL Injection. Any backend user with very basic permissi...
8.8CVSS
9.1AI Score
0.001EPSS
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset...
8.8CVSS
8.5AI Score
0.001EPSS
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.
9.1CVSS
9AI Score
0.001EPSS