CVE-2024-23648

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655	Patch
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*

History

24 Jan 2024, 18:45

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-01-24 18:15

Updated : 2024-02-02 15:45

NVD link : CVE-2024-23648

Mitre link : CVE-2024-23648

CVE.ORG link : CVE-2024-23648

JSON object : View

Products Affected

pimcore

admin_classic_bundle

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2024-23648", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-01-24T18:15:08.877", "references": [{"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue."}, {"lang": "es", "value": "El paquete Admin Classic de Pimcore proporciona una interfaz de usuario backend para Pimcore. La funci\u00f3n de restablecimiento de contrase\u00f1a env\u00eda al usuario que solicita un cambio de contrase\u00f1a un correo electr\u00f3nico que contiene una URL para restablecer su contrase\u00f1a. La URL enviada contiene un token \u00fanico, v\u00e1lido durante 24 horas, que permite al usuario restablecer su contrase\u00f1a. Este token es muy sensible; ya que un atacante capaz de recuperarlo podr\u00eda restablecer la contrase\u00f1a del usuario. Antes de la versi\u00f3n 1.2.3, la URL de restablecimiento de contrase\u00f1a se elabora utilizando el encabezado HTTP \"Host\" de la solicitud enviada para solicitar un restablecimiento de contrase\u00f1a. De esta manera, un atacante externo podr\u00eda enviar solicitudes de contrase\u00f1a para los usuarios, pero especificar un encabezado \"Host\" de un sitio web que controla. Si el usuario que recibe el correo hace clic en el enlace, el atacante recuperar\u00e1 el token de reinicio de la v\u00edctima y realizar\u00e1 la apropiaci\u00f3n de la cuenta. La versi\u00f3n 1.2.3 soluciona este problema."}], "lastModified": "2024-02-02T15:45:25.457", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*", "vulnerable": true, "matchCriteriaId": "A09FDD6A-8483-4589-9A7E-46817A73788C", "versionEndExcluding": "1.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}