2 matches found
Pimcore Host Header Injection in user invitation link
Overview A potential security vulnerability discovered in pimcore/admin-ui-classic-bundle version up to v1.3.3 . The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController, specifically in the way $loginUrl trusts user input. Details The host...
CVE-2024-23648
Summary (CVE-2024-23648) Pimcore Admin Classic Bundle is vulnerable to Host Header Injection in the password-reset flow. Before version 1.2.3, the reset URL was crafted using the request’s Host header, enabling an attacker-controlled domain to appear in the password-reset link sent by email. If a...