pimcore/admin-ui-classic-bundle Unverified Password Change
Moderate severity
GitHub Reviewed
Published
Oct 30, 2023
in
pimcore/admin-ui-classic-bundle
•
Updated Nov 14, 2023
Description
Published by the National Vulnerability Database
Oct 30, 2023
Published to the GitHub Advisory Database
Oct 31, 2023
Reviewed
Oct 31, 2023
Last updated
Nov 14, 2023
Impact
As old password can be set as new password , it is considered as password policy violation.
Pimcore is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
Patches
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch
Workarounds
Update to version 1.2.0 or apply this patches manually
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch
References
https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/
References