PT-2025-5999 · Pimcore · Pimcore Admin Classic Bundle
Ayman-Rayan
·
Published
2025-02-07
·
Updated
2025-11-04
·
CVE-2025-24980
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
pimcore/admin-ui-classic-bundle versions prior to 1.7.4
Description
The issue concerns an error message in the "Forgot password" function that discloses existing accounts, leading to user enumeration on the target. This allows attackers to identify valid usernames, potentially facilitating further attacks.
Recommendations
For versions prior to 1.7.4, upgrade to version 1.7.4 to address the issue. As a temporary workaround, consider restricting access to the "Forgot password" function until the upgrade is applied.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pimcore Admin Classic Bundle