Skip to content

Unverified Password Change

Moderate
dvesh3 published GHSA-6f58-j323-6472 Oct 30, 2023

Package

composer pimcore/admin-ui-classic-bundle (Composer)

Affected versions

< 1.2.0

Patched versions

1.2.0

Description

Impact

As old password can be set as new password , it is considered as password policy violation.

Pimcore is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept

  1. Go to Admin link
  2. login and click on -> "User | My Profile".
  3. Go to change password now put old password as new password and click save.

Patches

https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

Workarounds

Update to version 1.2.0 or apply this patches manually
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch

References

https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

Severity

Moderate

CVE ID

CVE-2023-5844

Weaknesses

Unverified Password Change

When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. Learn more on MITRE.

Credits