Unverified password change : old password can be used as new password in pimcore/admin-ui-classic-bundle

Valid

Reported on

Aug 25th 2023


Description

Pimcore Platform v 11.0.7 is not enforcing strict password policy which allow attacker to set old password as new password

Proof of Concept

1- go to https://demo.pimcore.com/admin/login
2- login with demo user credentials [ Username: superuser Password: enterprisedemo ]
3- Now login and click on -> "superuser | My Profile".
4- Go to change password now put old password as new password and click save.

PoC

video PoC: https://drive.google.com/file/d/1eIRl5ilXDgQlz8AkZjqT9wn0irTCMcp8/view?usp=drive_link

Impact

As old password can be set as new password , it is considered as password policy violation.

We are processing your report and will contact the pimcore/admin-ui-classic-bundle team within 24 hours. 3 months ago
We have contacted a member of the pimcore/admin-ui-classic-bundle team and are waiting to hear back 3 months ago
pimcore/admin-ui-classic-bundle maintainer has acknowledged this report 3 months ago
Th3l0newolf
3 months ago

Researcher


@maintainer is this fixed

Divesh Pahuja
2 months ago

Hi @th3l0newolf the issue is valid and we need to adjust this report to the correct repo pimcore/admin-ui-classic-bundle. could you please take care of it? we'll validate it once it is corrected.

Corrections required: repository: pimcore/admin-ui-classic-bundle affeceted version: 1.1.2

thanks!

Th3l0newolf
2 months ago

Researcher


@maintainer , is there any way to update repo i tried for looking for it. Please let me know where is the option to update the repo.

Divesh Pahuja
2 months ago

@admin could you please help with the corrections needed here? thanks!

Ben Harvie
2 months ago

Admin


Repository corrected as requested, thanks!

Th3l0newolf
2 months ago

Researcher


Thanks Ben , @maintainer you can checks now

Divesh Pahuja validated this vulnerability 2 months ago
Th3l0newolf [ Chinmay Divekar] has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Th3l0newolf
2 months ago

Researcher


Thanks @maintainer , is this issue eligible for CVE?

Divesh Pahuja
2 months ago

yes, just waiting the next release which fixes it then will mark it as fixed.

Divesh Pahuja marked this as fixed in 1.2.0 with commit 498ac7 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability a month ago
to join this conversation