CVE-2024-41109

Name of the Vulnerable Software and Affected Versions Pimcore Admin Classic Bundle versions prior to 1.3.10 Pimcore Admin Classic Bundle versions prior to 1.4.6 Pimcore Admin Classic Bundle versions prior to 1.5.2

Description Navigating to "/admin/index/statistics" with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles, and all database tables and their row count in the system. The web server should not return any product and version information of the components used. The table names and row counts should not be exposed. The "/admin/index/statistics" endpoint returns a JSON-response containing sensitive information.

Recommendations For Pimcore Admin Classic Bundle versions prior to 1.3.10, update to version 1.3.10 or later. For Pimcore Admin Classic Bundle versions prior to 1.4.6, update to version 1.4.6 or later. For Pimcore Admin Classic Bundle versions prior to 1.5.2, update to version 1.5.2 or later. As a temporary workaround, consider restricting access to the "/admin/index/statistics" endpoint to minimize the risk of exploitation.