← Zuruck zu CVEs

CVE-2026-23495

MEDIUM

4.3

Beschreibung

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

CVE Details

CVSS v3.1 Bewertung4.3

SchweregradMEDIUM

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienLOW

BenutzerinteraktionNONE

Veroffentlicht1/15/2026

Zuletzt geandert1/30/2026

Quellenvd

Honeypot-Sichtungen0

Betroffene Produkte

pimcore:admin_classic_bundle

Schwachen (CWE)

CWE-284

Referenzen

https://github.com/pimcore/admin-ui-classic-bundle/commit/98095949fbeaf11cdf4cadb2989d7454e1b88909(security-advisories@github.com)

https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.7.16(security-advisories@github.com)

https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v2.2.3(security-advisories@github.com)

https://github.com/pimcore/pimcore/security/advisories/GHSA-hqrp-m84v-2m2f(security-advisories@github.com)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.