Multiple vulnerabilities in Pimcore



Published: 2019-11-15
Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2019-18981
CVE-2019-18985
CVE-2019-18986
CWE-ID CWE-284
CWE-799
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Pimcore
Web applications / CMS

Vendor Pimcore

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU22796

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18981

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists in the "models/Notification/Service/NotificationService.php" file due to improper access restrictions. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pimcore: 6.0.0 - 6.2.1


CPE2.3 External links

http://github.com/pimcore/pimcore/commit/0a5d80b2593b2ebe35d19756b730ba33aa049106
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper control of interaction frequency

EUVDB-ID: #VU22798

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18985

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A remote attacker can brute-force passwords on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pimcore: 6.0.0 - 6.2.1


CPE2.3 External links

http://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper control of interaction frequency

EUVDB-ID: #VU22797

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18986

CWE-ID: CWE-799 - Improper Control of Interaction Frequency

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a brute-force attack on the target system.

The vulnerability exists due to the application does not implement sufficient measures to prevent multiple failed authentication attempts. A remote attacker can brute-force (guess) valid usernames by using the "forgot password" functionality as it returns distinct messages for invalid password and non-existing users.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Pimcore: 6.0.0 - 6.2.1


CPE2.3 External links

http://github.com/pimcore/pimcore/commit/4a7bba5c3f818852cbbd29fa124f7fb09a207185
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###