CVE-2023-5844
📋 TL;DR
This vulnerability allows unauthenticated attackers to change passwords for any user account in Pimcore's admin-ui-classic-bundle without verification. It affects all installations using versions prior to 1.2.0 of this bundle, potentially compromising administrative access to Pimcore content management systems.
💻 Affected Systems
- pimcore/admin-ui-classic-bundle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete takeover of the Pimcore instance through administrative account compromise, leading to data theft, content manipulation, or system destruction.
Likely Case
Unauthorized password changes for user accounts, enabling privilege escalation and unauthorized access to sensitive content management functions.
If Mitigated
Limited impact with proper network segmentation and strong authentication controls, though the vulnerability still exists at the application layer.
🎯 Exploit Status
The vulnerability is simple to exploit with publicly available details. No authentication required makes it trivial for attackers to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0
Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
Restart Required: No
Instructions:
1. Update the admin-ui-classic-bundle to version 1.2.0 or later using Composer: composer update pimcore/admin-ui-classic-bundle
2. Clear the Symfony cache: php bin/console cache:clear
3. Verify the update completed successfully
🔧 Temporary Workarounds
Disable admin-ui-classic-bundle
allTemporarily disable the vulnerable bundle if immediate patching is not possible
Comment out or remove the bundle from config/bundles.php
Network isolation
linuxRestrict access to the Pimcore admin interface using firewall rules
iptables -A INPUT -p tcp --dport 443 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Pimcore admin interface
- Enable multi-factor authentication for all administrative accounts as a compensating control
🔍 How to Verify
Check if Vulnerable:
Check the installed version of admin-ui-classic-bundle in composer.json or via composer show pimcore/admin-ui-classic-bundleCheck Version:
composer show pimcore/admin-ui-classic-bundle | grep versionsVerify Fix Applied:
Confirm version 1.2.0 or higher is installed: composer show pimcore/admin-ui-classic-bundle | grep versions📡 Detection & Monitoring
Log Indicators:
- Unusual password change requests, especially for administrative accounts
- Multiple failed login attempts followed by successful password changes
Network Indicators:
- HTTP POST requests to password change endpoints without proper authentication headers
- Unusual source IPs accessing admin password reset functionality
SIEM Query:
source="pimcore" AND (event="password_change" OR event="user_update") AND NOT user_agent="browser_agent"🔗 References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
- https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021
- https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
- https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021
