Pimcore Admin Classic Bundle <=1.2.1 Bypass TFA for non-admin users
CVE-2023-49075 Published on November 28, 2023
Pimcore Admin UI has Two Factor Authentication disabled for non admin security firewalls
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
Vulnerability Analysis
CVE-2023-49075 can be exploited with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Use of Single-factor Authentication
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.
Products Associated with CVE-2023-49075
Want to know whenever a new CVE is published for Pimcore Admin Classic Bundle? stack.watch will email you.
Affected Versions
pimcore admin-ui-classic-bundle Version < 1.2.2 is affected by CVE-2023-49075Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.