Potential Security Vulnerability in Pimcore's Admin Classic Bundle
CVE-2024-25625

8.1HIGH

Key Information:

Vendor: Pimcore
Status: Admin-ui-classic-bundle
Vendor: CVE Published:; 19 February 2024

Summary

A vulnerability in Pimcore's Admin Classic Bundle has been identified, specifically within the invitationLinkAction function of the UserController. This issue arises from improper handling of the HTTP host header, allowing an attacker to inject a malicious host header into requests directed at the /admin/user/invitationlink endpoint. As a result, URLs generated for user invitations may point to an attacker-controlled domain. The $loginUrl parameter in email invitations is constructed without proper validation of the host header, making this vulnerability a potential vector for phishing attacks. The recommended mitigation includes validating the host header to ensure it corresponds with the application's domain and employing a default trusted host mechanism when the incoming header is unrecognized or absent. Version 1.3.4 addresses this vulnerability with necessary patches.

Affected Version(s)

admin-ui-classic-bundle < 1.3.4

References

https://github.com/pimcore/admin-ui-classic-bundle/securi...

x_refsource_CONFIRM

https://github.com/pimcore/admin-ui-classic-bundle/commit...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Feb 19, 2024
Vulnerability Reserved
Feb 8, 2024