CVE-2023-49075

HIGH

Pimcore <1.2.2 - Privilege Escalation

Title source: llm

Description

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

References (4)

[Patch] https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628

View Patch ZIP pw:eip

[Patch, Vendor Advisory, URL Repurposed] https://github.com/pimcore/admin-ui-classic-bundle/pull/345

[Patch, Vendor Advisory] https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg

[Patch, Vendor Advisory] https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch

Scores

CVSS v3 8.4

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Classification

CWE

CWE-308

Status published

Affected Products (2)

pimcore/admin_classic_bundle < 1.2.2

pimcore/admin-ui-classic-bundle < 1.2.2Packagist

Timeline

Published Nov 28, 2023

Tracked Since Feb 18, 2026