← Back to CVEs

CVE-2023-49075

HIGH

8.4

Description

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

CVE Details

CVSS v3.1 Score8.4

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionREQUIRED

Published11/28/2023

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

pimcore:admin_classic_bundle

Weaknesses (CWE)

CWE-308

References

https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628(security-advisories@github.com)

https://github.com/pimcore/admin-ui-classic-bundle/pull/345(security-advisories@github.com)

https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg(security-advisories@github.com)

https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch(security-advisories@github.com)

https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/pimcore/admin-ui-classic-bundle/pull/345(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg(af854a3a-2127-422b-91ae-364da2661108)

https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.