PT-2024-33488 · Pimcore · Pimcore
Blackbitdevs
·
Published
2024-10-23
·
Updated
2024-11-06
·
CVE-2024-49370
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Pimcore portal engine versions prior to 4.1.7
Pimcore portal engine versions prior to 3.1.16
Description
The issue affects Pimcore, an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password without hashing it, allowing it to be read by everyone. This issue can affect everyone who combines PortalUser to PimcoreUsers and changes passwords via profile settings.
Recommendations
For Pimcore portal engine versions prior to 4.1.7, update to version 4.1.7 to resolve the issue.
For Pimcore portal engine versions prior to 3.1.16, update to version 3.1.16 to resolve the issue.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pimcore