#VU22798 Improper control of interaction frequency in Pimcore - CVE-2019-18985

Cybersecurity Help s.r.o.

Published: 2019-11-15

Vulnerability identifier: #VU22798

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-18985

CWE-ID: CWE-799

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pimcore
Web applications / CMS

Vendor: Pimcore

Description

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A remote attacker can brute-force passwords on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pimcore: 6.0.0 - 6.2.1

External links
https://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
https://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Pimcore