Multiple vulnerabilities in Pimcore
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-18981 CVE-2019-18985 CVE-2019-18986 |
| CWE-ID | CWE-284 CWE-799 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Pimcore Web applications / CMS |
| Vendor | Pimcore |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU22796
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18981
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists in the "models/Notification/Service/NotificationService.php" file due to improper access restrictions. A remote authenticated attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
External linkshttp://github.com/pimcore/pimcore/commit/0a5d80b2593b2ebe35d19756b730ba33aa049106
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper control of interaction frequency
EUVDB-ID: #VU22798
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18985
CWE-ID:
CWE-799 - Improper Control of Interaction Frequency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A
remote attacker can brute-force passwords on the target system.
Install updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
External linkshttp://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper control of interaction frequency
EUVDB-ID: #VU22797
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-18986
CWE-ID:
CWE-799 - Improper Control of Interaction Frequency
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a brute-force attack on the target system.
The vulnerability exists due to the application does not implement sufficient measures to prevent multiple failed authentication attempts. A remote attacker can brute-force (guess) valid usernames by using the "forgot password" functionality as it returns distinct messages for invalid password and non-existing users.
MitigationInstall updates from vendor's website.
Vulnerable software versionsPimcore: 6.0.0 - 6.2.1
External linkshttp://github.com/pimcore/pimcore/commit/4a7bba5c3f818852cbbd29fa124f7fb09a207185
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
