Pimcore Admin Classic Bundle
By the Year
In 2023 there have been 5 vulnerabilities in Pimcore Admin Classic Bundle with an average score of 6.0 out of ten. Admin Classic Bundle did not have any published security vulnerabilities last year. That is, 5 more vulnerabilities have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 5 | 6.02 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 0 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Admin Classic Bundle vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Pimcore Admin Classic Bundle Security Vulnerabilities
The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore
CVE-2023-47636
5.3 - Medium
- November 15, 2023
The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)". This issue has been patched in commit `10d178ef771` which has been included in release version 1.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore
CVE-2023-46722
6.1 - Medium
- October 31, 2023
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch or, as a workaround, apply the patch manually.
XSS
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
CVE-2023-5844
7.2 - High
- October 30, 2023
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
authentification
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore
CVE-2023-42817
5.4 - Medium
- September 25, 2023
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including %s (from %suggest%) is parsed by sprintf() even though its supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to certain modules) and a skilled attacker might be able to exploit the parsing of the translation string in the dialog box. This issue has been patched in commit `abd77392` which is included in release 1.1.2. Users are advised to update to version 1.1.2 or apply the patch manually.
XSS
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework
CVE-2023-37280
6.1 - Medium
- July 11, 2023
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Pimcore Admin Classic Bundle or by Pimcore? Click the Watch button to subscribe.
