User Enumeration Vulnerability in Pimcore Backend UI
CVE-2025-24980

6.9MEDIUM

Key Information:

Vendor: Pimcore
Status: Admin-ui-classic-bundle
Vendor: CVE Published:; 7 February 2025

Summary

The Pimcore admin-ui-classic-bundle utilizes a 'Forgot password' function that improperly discloses existing user accounts through error messages. This vulnerability can lead to user enumeration, allowing attackers to know which accounts are valid on the target system. Affected versions do not implement a generic error message to obscure the existence or non-existence of accounts. Users are urged to upgrade to version 1.7.4 or later to protect against this issue, as there are currently no available workarounds.

Affected Version(s)

admin-ui-classic-bundle < 1.7.4

References

https://github.com/pimcore/admin-ui-classic-bundle/securi...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Jan 29, 2025