CVE-2024-23648

Name of the Vulnerable Software and Affected Versions Pimcore's Admin Classic Bundle versions prior to 1.2.3

Description The password reset functionality in Pimcore's Admin Classic Bundle sends an email to the user requesting a password change with a URL containing a unique token, valid for 24 hours, allowing the user to reset their password. This token is highly sensitive, as an attacker who retrieves it can reset the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the Host HTTP header of the request sent to request a password reset, allowing an external attacker to send password requests for users and specify a Host header of a website they control. If the user clicks on the link, the attacker can retrieve the reset token and perform an account takeover.

Recommendations For versions prior to 1.2.3, update to version 1.2.3 or later to fix the issue. As a temporary workaround, consider setting a variable that sets the server host and disabling password reset functionality if this variable is not set. Ensure that the administrator is aware of the potential risks and takes necessary precautions to prevent account takeover. Restrict the server from serving on any arbitrary Host header to minimize the risk of exploitation.