Password Management Vulnerability in Pimcore Data and Experience Management Platform
CVE-2024-49370

4.9MEDIUM

Key Information:

Vendor: Pimcore
Status: Pimcore
Vendor: CVE Published:; 23 October 2024

Summary

Pimcore is a widely used open-source data and experience management platform that faces a serious vulnerability related to its user password management. When a PortalUserObject is linked to a PimcoreUser and has the setting 'Use Pimcore Backend Password' enabled, the password change function within the Portal Profile allows setting a new password without proper hashing. This flaw means that the new password can be exposed in plaintext to anyone with access to the user profile, potentially compromising user accounts. This vulnerability affects versions of the Pimcore portal engine prior to 4.1.7 and 3.1.16, highlighting the necessity for users to upgrade to these versions to mitigate risks.

References

https://github.com/pimcore/pimcore/security/advisories/GH...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 23, 2024