GHSA-6f58-j323-6472

Source

https://github.com/advisories/GHSA-6f58-j323-6472

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-6f58-j323-6472/GHSA-6f58-j323-6472.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6f58-j323-6472

Aliases

CVE-2023-5844

Published

2023-10-31T22:23:18Z

Modified

2024-02-16T08:16:29.124219Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

pimcore/admin-ui-classic-bundle Unverified Password Change

Details

Impact

As old password can be set as new password , it is considered as password policy violation.

Pimcore is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save.

Patches

https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

Workarounds

Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

References

https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

Database specific

{
    "nvd_published_at": "2023-10-30T11:15:39Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-620"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-31T22:23:18Z"
}

References

Affected packages

Packagist / pimcore/admin-ui-classic-bundle

Package

Name: pimcore/admin-ui-classic-bundle
Purl: pkg:composer/pimcore/admin-ui-classic-bundle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.0

Affected versions

v1.*

v1.0.0-BETA1

v1.0.0-RC1

v1.0.0-RC2

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.1.0-RC1

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2

v1.2.0-RC1