Improper control of interaction frequency in Pimcore

#VU22798 Improper control of interaction frequency in Pimcore

Published: 2019-11-15

Vulnerability identifier: #VU22798

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18985

CWE-ID: CWE-799

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pimcore
Web applications / CMS

Vendor: Pimcore

Description

The vulnerability allows a remote attacker to perform a brute-force attack.

The vulnerability exists due to the affected software lacks brute force protection for the 2FA token. A remote attacker can brute-force passwords on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pimcore: 6.0.0 - 6.2.1

External links
http://github.com/pimcore/pimcore/commit/9f2d075243a8392c114d9a8028858b9faf041e2d
http://github.com/pimcore/pimcore/compare/v6.2.1...v6.2.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Pimcore