Vulnerability Details CVE-2023-49075
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 1.3%
CVSS Severity
CVSS v3 Score 8.4
References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
- https://github.com/pimcore/admin-ui-classic-bundle/pull/345
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
- https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
- https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
- https://github.com/pimcore/admin-ui-classic-bundle/pull/345
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
- https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Products affected by CVE-2023-49075
-
cpe:2.3:a:pimcore:admin_classic_bundle:-
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.0
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.1
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.2
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.3
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.4
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.0.6
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.1.0
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.1.1
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.1.2
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.1.3
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.1.4
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.2.0
-
cpe:2.3:a:pimcore:admin_classic_bundle:1.2.1