Blackbitdevs

**Name of the Vulnerable Software and Affected Versions** Pimcore portal engine versions prior to 4.1.7 Pimcore portal engine versions prior to 3.1.16 **Description** The issue affects Pimcore, an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password without hashing it, allowing it to be read by everyone. This issue can affect everyone who combines PortalUser to PimcoreUsers and changes passwords via profile settings. **Recommendations** For Pimcore portal engine versions prior to 4.1.7, update to version 4.1.7 to resolve the issue. For Pimcore portal engine versions prior to 3.1.16, update to version 3.1.16 to resolve the issue.