EUVD-2023-2672

Malicious code in bioql PyPI...

CVE-2023-5844

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0...

Host Header Injection

pimcore/admin-ui-classic-bundle is vulnerable to Host Header Injection. The vulnerability is caused due to unsafely using the host header from incoming HTTP requests when generating URLs in the function invitationLinkAction within UserController.php , specifically in the way $loginUrl trusts user...

CVE-2023-5844

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0...

CVE-2023-5844

CVE-2023-5844 affects pimcore/admin-ui-classic-bundle prior to version 1.2.0. The root cause is an unverified password change, allowing an attacker to set an old password as the new one, violating password policy. Documented impact per OSV/GHSA entries indicates a password-policy bypass without e...

CVE-2023-5844 Unverified Password Change in pimcore/admin-ui-classic-bundle

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0...

CVE-2023-5844 Unverified Password Change in pimcore/admin-ui-classic-bundle

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0...

Cross-site Scripting

pimcore/admin-ui-classic-bundle is vulnerable to Cross-site Scripting. The vulnerability is due to sprintf function in functions.js which does not perform any escaping or sanitization of the subst and str value itself. This can lead to Cross-Site Scripting vulnerabilities if the str is later...

CVE-2023-42817

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” from “%suggest% is parsed by sprintf even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access...

CVE-2023-42817

Pimcore admin-ui-classic-bundle translations are vulnerable to Cross-site Scripting due to a translation string containing “%s” being parsed by sprintf(), allowing potential injection in dialog boxes. Affected versions: prior to 1.1.2. Root cause: unsanitized translation parsing. Remediation: upg...

Cross-site Scripting (XSS)

pimcore/admin-ui-classic-bundle is vulnerable to Cross-site Scripting XSS. The vulnerability exists if an admin user has not set up 2-factor authentication in twofactorsetup.html.twig , which allows an attacker to inject and execute malicious HTML or javascript through the /admin/login/2fa-setup...