CVE-2024-41109
MEDIUMPimcore Admin Classic Bundle < 1.3.10 - Information Disclosure
Title source: ruleDescription
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10.
References (4)
Core 4
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36
Patch x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0
Product x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40
Release Notes x_refsource_misc
https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2
Scores
CVSS v3
6.3
EPSS
0.0005
EPSS Percentile
15.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
pimcore/admin-ui-classic-bundle
0 - 1.5.2Packagist
pimcore/admin_classic_bundle
< 1.3.10
Published
Jul 30, 2024
Tracked Since
Feb 18, 2026