Headline
GHSA-vr5f-php7-rg24: Pimcore Admin Classic Bundle allows user enumeration
Description Summary
Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not.
Details -> error message discloses existing accounts and leads to user enumeration on the target via “Forgot password” function. since no generic error message is being implemented.
PoC
Enter first a valid account email address and click on submit
A green message validating the account exists is shown and a login link is sent to the email
now go back and use a random email from temp-mail to test with a non existant account
click on submit and get an error in red that a problem occured
Impact user enumeration is a confidentiality threat , that could potentially lead to an attacker to enumerate valid accounts and maybe taking over accounts in case combined with credential stuffing on an organisation .
A remedition would be to change the error message in both cases ( valid and invalid emails ) to what we call a "synchronised error " it would be for example : " if the given email address is linked to an account , then a login link would be sent to that email " or something along those lines
Description
Summary
Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not.
Details
-> error message discloses existing accounts and leads to user enumeration on the target via “Forgot password” function. since no generic error message is being implemented.
PoC
Enter first a valid account email address and click on submit
A green message validating the account exists is shown and a login link is sent to the email
now go back and use a random email from temp-mail to test with a non existant account
click on submit and get an error in red that a problem occured
Impact
user enumeration is a confidentiality threat , that could potentially lead to an attacker to enumerate valid accounts and maybe taking over accounts in case combined with credential stuffing on an organisation .
A remedition would be to change the error message in both cases ( valid and invalid emails ) to what we call a "synchronised error " it would be for example : " if the given email address is linked to an account , then a login link would be sent to that email " or something along those lines
References
- GHSA-vr5f-php7-rg24
- pimcore/admin-ui-classic-bundle#808
- pimcore/admin-ui-classic-bundle@96ae555
- https://nvd.nist.gov/vuln/detail/CVE-2025-24980