Information disclosure in Pimcore

#VU78548 Information disclosure in Pimcore

Published: 2023-07-24

Vulnerability identifier: #VU78548

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3819

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pimcore
Web applications / CMS

Vendor: Pimcore

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pimcore: 10.6.0 - 10.6.3

External links
http://github.com/pimcore/pimcore/commit/0237527b3244d251fa5ecd4912dfe4f8b2125c54
http://huntr.dev/bounties/be5e4d4c-1b0b-4c01-a1fc-00533135817c

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Pimcore