CVE-2019-18986

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2019-18986

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18986.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-18986

Aliases

GHSA-8889-9g3f-73rj

Published

2019-11-15T05:15:13.063Z

Modified

2026-03-14T09:34:44.155334Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.

References

Affected packages

Git / github.com/pimcore/pimcore

Affected ranges

Type

GIT

Repo

https://github.com/pimcore/pimcore

Events

Introduced

Fixed

75a93f6e3edf90444d88695d190a6dfaa8c2499e

Fixed

4a7bba5c3f818852cbbd29fa124f7fb09a207185

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.2.2"
        }
    ]
}

Affected versions

2.*

2.2.0

2.2.1

2.2.2

2.3.0

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.1.0

3.1.1

4.*

4.0.0

4.0.1

4.1.0

4.1.1

4.1.2

4.1.3

4.2.0

4.3.0

4.3.1

4.4.0

4.4.1

4.4.2

4.4.3

4.5.0

v5.*

v5.0.0

v5.0.0-RC

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.1.0

v5.1.0-alpha

v5.1.1

v5.1.2

v5.1.3

v5.2.0

v5.2.3

v5.3.0

v5.3.1

v5.4.0

v5.4.1

v5.4.2

v5.4.3

v5.4.4

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.6.0

v5.6.1

v5.6.2

v5.6.3

v5.6.4

v5.6.5

v5.6.6

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.8.2

v5.8.3

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.1.0

v6.1.1

v6.1.2

v6.2.0

v6.2.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18986.json"