Pimcore portal engine 4.1.6 Password stored as cleartext via PortalUserObject
CVE-2024-49370 Published on October 23, 2024
Change-Password via Portal-Profile sets PimcoreBackendUser password without hashing
Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of the Pimcore portal engine fix the issue.
Weakness Type
Unprotected Storage of Credentials
Storing a password in plaintext may result in a system compromise. Password management issues occur when a password is stored in plaintext in an application's properties or configuration file. Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource.
Products Associated with CVE-2024-49370
Want to know whenever a new CVE is published for Pimcore? stack.watch will email you.
Affected Versions
pimcore:- Version < 3.1.16 is affected.
- Version >= 4.0.0, < 4.1.7 is affected.
- Before 3.1.16 is affected.
- Version 4.0.0, <= 4.1.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.