CVE-2023-5844
MEDIUM4.3EPSS 0.00%pimcore/admin-ui-classic-bundle Unverified Password Change
描述
### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### Workarounds Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### References https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/
受影響套件(1)
- Packagist/pimcore/admin-ui-classic-bundlefrom 0, < 1.2.0-RC1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-5844
- PATCHhttps://github.com/pimcore/admin-ui-classic-bundle
- WEBhttps://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
- WEBhttps://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-6f58-j323-6472
- WEBhttps://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021