Описание
pimcore/admin-ui-classic-bundle Unverified Password Change
Impact
As old password can be set as new password , it is considered as password policy violation.
Pimcore is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
- Go to Admin link
- login and click on -> "User | My Profile".
- Go to change password now put old password as new password and click save.
Patches
Workarounds
Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch
References
https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/
Ссылки
Пакеты
Наименование
pimcore/admin-ui-classic-bundle
composer
Затронутые версииВерсия исправления
< 1.2.0-RC1
1.2.0-RC1
Связанные уязвимости
CVSS3: 7.2
nvd
больше 2 лет назад
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.