CVE-2023-5844: pimcore/admin-ui-classic-bundle Unverified Password Change
(updated )
As old password can be set as new password , it is considered as password policy violation.
Pimcore is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
- Go to Admin link
- login and click on -> “User | My Profile”.
- Go to change password now put old password as new password and click save.
References
- github.com/advisories/GHSA-6f58-j323-6472
- github.com/pimcore/admin-ui-classic-bundle
- github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
- github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-6f58-j323-6472
- huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021
- nvd.nist.gov/vuln/detail/CVE-2023-5844
Code Behaviors & Features
Detect and mitigate CVE-2023-5844 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →