CVE-2024-23648
📋 TL;DR
This vulnerability in Pimcore's Admin Classic Bundle allows attackers to perform account takeover by manipulating password reset emails. Attackers can send password reset requests with a malicious Host header, causing reset links to point to attacker-controlled domains where tokens can be captured. All users of affected versions are vulnerable to this attack.
💻 Affected Systems
- Pimcore Admin Classic Bundle
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and potential system compromise.
Likely Case
Targeted account takeover of specific users through phishing-style attacks, resulting in unauthorized access to sensitive data and functionality.
If Mitigated
No impact if proper email validation and host header verification are implemented, or if users don't click malicious links.
🎯 Exploit Status
Exploitation requires user interaction (clicking email link) but is straightforward for attackers to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.3
Vendor Advisory: https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j
Restart Required: No
Instructions:
1. Update Pimcore Admin Classic Bundle to version 1.2.3 or later. 2. Verify the update using composer update pimcore/admin-ui-classic-bundle. 3. Clear any caches if applicable.
🔧 Temporary Workarounds
Host Header Validation
allImplement server-side validation to reject requests with unexpected Host headers
Configure web server (Apache/Nginx) to validate Host headers against allowed domains
Disable Password Reset
allTemporarily disable password reset functionality until patched
Modify application configuration to disable password reset endpoints
🧯 If You Can't Patch
- Implement WAF rules to block requests with suspicious Host headers
- Monitor for unusual password reset requests and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check if Pimcore Admin Classic Bundle version is below 1.2.3 using composer show pimcore/admin-ui-classic-bundleCheck Version:
composer show pimcore/admin-ui-classic-bundle | grep versionsVerify Fix Applied:
Confirm version is 1.2.3 or higher and test password reset functionality with various Host headers📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for same user from different IPs
- Requests with unusual Host headers in access logs
Network Indicators:
- Unusual patterns of password reset email generation
- Requests to password reset endpoint with modified Host headers
SIEM Query:
source="web_logs" AND (uri="/admin/reset-password" OR uri="/password-reset") AND (host_header!="expected-domain.com" OR host_header CONTAINS "attacker-domain")🔗 References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j
- https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j
