Description

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

Related CPE's

a

pimcore

pimcore

Vulnerable

References

https://github.com/pimcore/pimcore/pull/10223.patch

PatchThird Party Advisory

https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce

PatchThird Party Advisory

https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9

Third Party Advisory

https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/

Third Party Advisory

Weaknesses

[email protected]

Primary
CWE-203

[email protected]

Secondary
CWE-204

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-09-15T14:15:08.997

3 years ago

Last modified

2021-09-27T20:13:17.483

3 years ago