Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
PimcoreAdmin Classic Bundle

14 matches found

CVE
CVEadded 2024/02/07 5:17 p.m.196 views

CVE-2024-24822

Pimcore Admin Classic Bundle (pre-1.3.3) is affected by CVE-2024-24822 due to broken access control in tag management. An attacker can create, delete, and modify tags without proper permissions. A fix is available in version 1.3.3; patch can be applied manually via the referenced PR.

9.1CVSS9AI score0.00544EPSS
CVE
CVEadded 2023/09/25 6:57 p.m.99 views

CVE-2023-42817

Pimcore admin-ui-classic-bundle translations are vulnerable to Cross-site Scripting due to a translation string containing “%s” being parsed by sprintf(), allowing potential injection in dialog boxes. Affected versions: prior to 1.1.2. Root cause: unsanitized translation parsing. Remediation: upg...

5.4CVSS5.3AI score0.00326EPSS
CVE
CVEadded 2023/11/15 7:18 p.m.84 views

CVE-2023-47636

CVE-2023-47636 affects the Pimcore Admin Classic Bundle. The vulnerability is a Full Path Disclosure (FPD) in the Backend UI where loading a file path (for example via fopen) can reveal the server’s full path when the file does not exist, due to missing error handling. The issue has been patched ...

5.3CVSS5.4AI score0.00654EPSS
CVE
CVEadded 2024/02/19 3:41 p.m.75 views

CVE-2024-25625

Pimcore Admin UI Classic Bundle (prior to 1.3.4) is vulnerable to Host Header Injection via the invitationLinkAction in UserController. The login URL is built using unvalidated host headers when generating $loginUrl, allowing an attacker to inject a malicious domain into invitation emails and ena...

9.3CVSS8.2AI score0.00682EPSS
CVE
CVEadded 2023/10/30 10:8 a.m.74 views

CVE-2023-5844

CVE-2023-5844 affects pimcore/admin-ui-classic-bundle prior to version 1.2.0. The root cause is an unverified password change, allowing an attacker to set an old password as the new one, violating password policy. Documented impact per OSV/GHSA entries indicates a password-policy bypass without e...

7.2CVSS5.5AI score0.00553EPSS
CVE
CVEadded 2025/02/07 7:56 p.m.69 views

CVE-2025-24980

CVE-2025-24980 affects Pimcore’s admin-ui-classic-bundle. The issue is an information disclosure: the Forgot Password flow reveals whether an account exists via non-generic error messages, enabling user enumeration. Root cause: improper error handling in the authentication/forgot-password path. I...

6.9CVSS6.8AI score0.00483EPSS
CVE
CVEadded 2024/01/24 7:41 p.m.64 views

CVE-2024-23646

Pimcore Admin Classic Bundle (1.x) before 1.3.2 contains an SQL Injection in the selectedIds parameter used by the admin asset download flow (download-as-zip-add-files). Any backend user with basic permissions can execute arbitrary SQL and escalate to admin-level access. The fix is in 1.3.2. Affe...

8.8CVSS9.1AI score0.00755EPSS
CVE
CVEadded 2023/07/11 6:19 p.m.62 views

CVE-2023-37280

Pimcore Admin Classic Bundle (ExtJS-based Backend UI) contains a cross-site scripting vulnerability (CVE-2023-37280) that can be exploited by any admin who has not set up two-factor authentication, without extra privileges. The issue allows execution of arbitrary scripts/HTML content via the admi...

6.1CVSS6.1AI score0.00535EPSS
CVE
CVEadded 2024/07/30 2:43 p.m.60 views

CVE-2024-41109

Summary: CVE-2024-41109 affects Pimcore’s Admin UI Classic Bundle. Affected component is the Admin/IndexController statistics endpoint (/admin/index/statistics), where a logged-in Pimcore user can access detailed system information (Pimcore installation data, PHP/MYSQL versions, installed bundles...

6.5CVSS6.1AI score0.00483EPSS
CVE
CVEadded 2025/04/08 11:7 a.m.60 views

CVE-2025-30166

CVE-2025-30166 affects Pimcore’s Admin Classic Bundle. An HTML injection vulnerability resides in the /admin/email/send-test-email endpoint’s content parameter, allowing authenticated users with email-sending access to inject HTML into emails, potentially leaking session cookies or altering page ...

4.8CVSS7.3AI score0.00209EPSS
CVE
CVEadded 2024/01/24 6:5 p.m.54 views

CVE-2024-23648

Summary (CVE-2024-23648) Pimcore Admin Classic Bundle is vulnerable to Host Header Injection in the password-reset flow. Before version 1.2.3, the reset URL was crafted using the request’s Host header, enabling an attacker-controlled domain to appear in the password-reset link sent by email. If a...

8.8CVSS8.5AI score0.00827EPSS
CVE
CVEadded 2023/11/28 4:33 a.m.51 views

CVE-2023-49075

The CVE-2023-49075 issue affects Pimcore’s Admin Classic Bundle (AdminBundle) by introducing PimcoreUserTwoFactorCondition in v11 that disables two-factor authentication for all non-admin security firewalls. An authenticated user could access the system without completing 2FA. The vulnerability i...

8.4CVSS7.5AI score0.01437EPSS
CVE
CVEadded 2023/10/31 3:36 p.m.44 views

CVE-2023-46722

Pimcore Admin Classic Bundle contains a cross-site scripting (XSS) vulnerability in PDF previews prior to version 1.2.0. The issue stems from insufficient input validation in the PDF preview path (AssetController.php getPreviewDocumentAction), enabling an attacker to craft a malicious PDF that ca...

6.1CVSS6.1AI score0.00496EPSS
CVE
CVEadded 2026/01/15 4:47 p.m.17 views

CVE-2026-23495

The CVE-2026-23495 affects Pimcore’s Admin Classic Bundle. The API endpoint that lists Predefined Properties (metadata definitions used across documents, assets, and objects) lacked proper server-side authorization prior to Pimcore versions 2.2.3 and 1.7.16. An authenticated backend user without ...

4.3CVSS6.3AI score0.00331EPSS