Mathisca

**Name of the Vulnerable Software and Affected Versions** Pimcore's Admin Classic Bundle versions prior to 1.2.3 **Description** The password reset functionality in Pimcore's Admin Classic Bundle sends an email to the user requesting a password change with a URL containing a unique token, valid for 24 hours, allowing the user to reset their password. This token is highly sensitive, as an attacker who retrieves it can reset the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the `Host` HTTP header of the request sent to request a password reset, allowing an external attacker to send password requests for users and specify a `Host` header of a website they control. If the user clicks on the link, the attacker can retrieve the reset token and perform an account takeover. **Recommendations** For versions prior to 1.2.3, update to version 1.2.3 or later to fix the issue. As a temporary workaround, consider setting a variable that sets the server host and disabling password reset functionality if this variable is not set. Ensure that the administrator is aware of the potential risks and takes necessary precautions to prevent account takeover. Restrict the server from serving on any arbitrary `Host` header to minimize the risk of exploitation.