Unverified password change : old password can be used as new password in pimcore/admin-ui-classic-bundle
Aug 25th 2023
Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
1- go to https://demo.pimcore.com/admin/login 2- login with demo user credentials [ Username: superuser Password: enterprisedemo ] 3- Now login and click on -> "superuser | My Profile". 4- Go to change password now put old password as new password and click save.
video PoC: https://drive.google.com/file/d/1eIRl5ilXDgQlz8AkZjqT9wn0irTCMcp8/view?usp=drive_link
As old password can be set as new password , it is considered as password policy violation.