Description
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
References (4)
Core 4
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
Patch, Vendor Advisory, URL Repurposed x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/pull/345
Patch x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
Patch, Vendor Advisory x_refsource_misc
https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Scores
CVSS v3
8.4
EPSS
0.0001
EPSS Percentile
1.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-308
Status
published
Products (2)
pimcore/admin-ui-classic-bundle
0 - 1.2.2Packagist
pimcore/admin_classic_bundle
< 1.2.2
Published
Nov 28, 2023
Tracked Since
Feb 18, 2026