Pimcore Admin UI Classic Bundle: User enum via Forgot pwd before 1.7.4
CVE-2025-24980 Published on February 7, 2025
Pimcore Admin Classic Bundle allows user enumeration
pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Weakness Type
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).
Affected Versions
pimcore admin-ui-classic-bundle Version < 1.7.4 is affected by CVE-2025-24980Vulnerable Packages
The following package name and versions may be associated with CVE-2025-24980
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | pimcore/admin-ui-classic-bundle | < 1.7.4 | 1.7.4 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.