Multiple vulnerabilities in Pimcore
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU22796
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18981
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists in the "models/Notification/Service/NotificationService.php" file due to improper access restrictions. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
CPE2.3- cpe:2.3:a:pimcore:pimcore:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/0a5d80b2593b2ebe35d19756b730ba33aa049106
https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper control of interaction frequency
EUVDB-ID: #VU22798
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18985
CWE-ID:
CWE-799 - Improper Control of Interaction Frequency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A
remote attacker can brute-force passwords on the target system.
Install updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
CPE2.3- cpe:2.3:a:pimcore:pimcore:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper control of interaction frequency
EUVDB-ID: #VU22797
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-18986
CWE-ID:
CWE-799 - Improper Control of Interaction Frequency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a brute-force attack on the target system.
The vulnerability exists due to the application does not implement sufficient measures to prevent multiple failed authentication attempts. A remote attacker can brute-force (guess) valid usernames by using the "forgot password" functionality as it returns distinct messages for invalid password and non-existing users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
CPE2.3- cpe:2.3:a:pimcore:pimcore:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:pimcore:pimcore:6.0.2:*:*:*:*:*:*:*
https://github.com/pimcore/pimcore/commit/4a7bba5c3f818852cbbd29fa124f7fb09a207185
https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
