Headline
GHSA-5737-rqv4-v445: Pimcore Preview Documents are not restricted to logged in users anymore
Summary
Any call with the query argument ?pimcore_preview=true allows to view unpublished sites. Event if in incognito window. Due to the behaviour of how previews should work, this also applies to internal documents, say an intranet which could be really severe.
Details
In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information.
PoC
- go to demo.pimcore.com
- unpublish a document
- open preview link in incognito tab
- see how the page loads normally
Impact
Any intranet or other restricted sites which are able to show a preview are affected. This could possibly be huge.
Summary
Any call with the query argument ?pimcore_preview=true allows to view unpublished sites. Event if in incognito window. Due to the behaviour of how previews should work, this also applies to internal documents, say an intranet which could be really severe.
Details
In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information.
PoC
- go to demo.pimcore.com
- unpublish a document
- open preview link in incognito tab
- see how the page loads normally
Impact
Any intranet or other restricted sites which are able to show a preview are affected. This could possibly be huge.
References
- GHSA-5737-rqv4-v445
- https://nvd.nist.gov/vuln/detail/CVE-2024-29197
- pimcore/pimcore@3ae43fb