CVE-2024-23648 (GCVE-0-2024-23648)
Vulnerability from cvelistv5 – Published: 2024-01-24 18:05 – Updated: 2025-06-17 21:19
VLAI?
Title
Pimcore Admin Classic Bundle host header injection in the password reset
Summary
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.
Severity ?
8.8 (High)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pimcore | admin-ui-classic-bundle |
Affected:
< 1.2.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:06:25.363Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23648",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-24T19:20:14.444869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T21:19:28.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "admin-ui-classic-bundle",
"vendor": "pimcore",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pimcore\u0027s Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-24T18:05:44.645Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
}
],
"source": {
"advisory": "GHSA-mrqg-mwh7-q94j",
"discovery": "UNKNOWN"
},
"title": "Pimcore Admin Classic Bundle host header injection in the password reset"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23648",
"datePublished": "2024-01-24T18:05:44.645Z",
"dateReserved": "2024-01-19T00:18:53.234Z",
"dateUpdated": "2025-06-17T21:19:28.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GSD-2024-23648
Vulnerability from gsd - Updated: 2024-01-19 06:02Details
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.
Aliases
{
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2024-23648"
],
"details": "Pimcore\u0027s Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.",
"id": "GSD-2024-23648",
"modified": "2024-01-19T06:02:13.198171Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2024-23648",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "admin-ui-classic-bundle",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 1.2.3"
}
]
}
}
]
},
"vendor_name": "pimcore"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Pimcore\u0027s Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-74",
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j",
"refsource": "MISC",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
},
{
"name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655",
"refsource": "MISC",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
}
]
},
"source": {
"advisory": "GHSA-mrqg-mwh7-q94j",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*",
"matchCriteriaId": "A09FDD6A-8483-4589-9A7E-46817A73788C",
"versionEndExcluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Pimcore\u0027s Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue."
},
{
"lang": "es",
"value": "El paquete Admin Classic de Pimcore proporciona una interfaz de usuario backend para Pimcore. La funci\u00f3n de restablecimiento de contrase\u00f1a env\u00eda al usuario que solicita un cambio de contrase\u00f1a un correo electr\u00f3nico que contiene una URL para restablecer su contrase\u00f1a. La URL enviada contiene un token \u00fanico, v\u00e1lido durante 24 horas, que permite al usuario restablecer su contrase\u00f1a. Este token es muy sensible; ya que un atacante capaz de recuperarlo podr\u00eda restablecer la contrase\u00f1a del usuario. Antes de la versi\u00f3n 1.2.3, la URL de restablecimiento de contrase\u00f1a se elabora utilizando el encabezado HTTP \"Host\" de la solicitud enviada para solicitar un restablecimiento de contrase\u00f1a. De esta manera, un atacante externo podr\u00eda enviar solicitudes de contrase\u00f1a para los usuarios, pero especificar un encabezado \"Host\" de un sitio web que controla. Si el usuario que recibe el correo hace clic en el enlace, el atacante recuperar\u00e1 el token de reinicio de la v\u00edctima y realizar\u00e1 la apropiaci\u00f3n de la cuenta. La versi\u00f3n 1.2.3 soluciona este problema."
}
],
"id": "CVE-2024-23648",
"lastModified": "2024-02-02T15:45:25.457",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-01-24T18:15:08.877",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
}
}
}
FKIE_CVE-2024-23648
Vulnerability from fkie_nvd - Published: 2024-01-24 18:15 - Updated: 2024-11-21 08:58
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password. Prior to version 1.2.3, the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| pimcore | admin_classic_bundle | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*",
"matchCriteriaId": "A09FDD6A-8483-4589-9A7E-46817A73788C",
"versionEndExcluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Pimcore\u0027s Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password. Prior to version 1.2.3, the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset. This way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover. Version 1.2.3 fixes this issue."
},
{
"lang": "es",
"value": "El paquete Admin Classic de Pimcore proporciona una interfaz de usuario backend para Pimcore. La funci\u00f3n de restablecimiento de contrase\u00f1a env\u00eda al usuario que solicita un cambio de contrase\u00f1a un correo electr\u00f3nico que contiene una URL para restablecer su contrase\u00f1a. La URL enviada contiene un token \u00fanico, v\u00e1lido durante 24 horas, que permite al usuario restablecer su contrase\u00f1a. Este token es muy sensible; ya que un atacante capaz de recuperarlo podr\u00eda restablecer la contrase\u00f1a del usuario. Antes de la versi\u00f3n 1.2.3, la URL de restablecimiento de contrase\u00f1a se elabora utilizando el encabezado HTTP \"Host\" de la solicitud enviada para solicitar un restablecimiento de contrase\u00f1a. De esta manera, un atacante externo podr\u00eda enviar solicitudes de contrase\u00f1a para los usuarios, pero especificar un encabezado \"Host\" de un sitio web que controla. Si el usuario que recibe el correo hace clic en el enlace, el atacante recuperar\u00e1 el token de reinicio de la v\u00edctima y realizar\u00e1 la apropiaci\u00f3n de la cuenta. La versi\u00f3n 1.2.3 soluciona este problema."
}
],
"id": "CVE-2024-23648",
"lastModified": "2024-11-21T08:58:05.140",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-24T18:15:08.877",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-MRQG-MWH7-Q94J
Vulnerability from github – Published: 2024-01-24 20:54 – Updated: 2024-01-24 20:54
VLAI?
Summary
Host header injection in the password reset
Details
Summary
The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password.
The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user's password.
It was identified during the audit that the reset-password URL is crafted using the "Host" HTTP header of the request sent to request a password reset.
This way, an external attacker could send password requests for users, but specify a "Host" header of a website that they control. If the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover.
Details
This attack required the server to serve Pimcore on arbitrary "Host". This configuration would be plausible if the attacker is already behind the reverse proxy. During the assessment of my client, their instance was accepting any Host header, and they did not received security recommendations that they should restrict this while installing Pimcore.
From what I understood of Pimcore, the vulnerability is in the "admin-ui-classic-bundle", in the file src/Controller/Admin/UserController.php.
The following screenshots provide evidences of the vulnerability. The environment of the test is : dockerized Pimcore v11.1.1 on default configuration (https://pimcore.com/docs/platform/Pimcore/Getting_Started/Installation/Docker_Based_Installation/).
PoC
Remediation
Create a variable that sets the server host. Don't enable password reset functionality while this variable is not set ; or make sure that the administrator knows what they are doing.
I believe that just documenting that the server should not serve on any Host would not be enough to enforce a remediation to this vulnerability.
The Snipe-IT project managed this same issue by creating a "APP_ALLOW_INSECURE_HOSTS" variable, and retrieving the app absolute URL from a config file : https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc
Impact
Could lead to a 1-click account takeover
Severity ?
8.8 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pimcore/admin-ui-classic-bundle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-23648"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T20:54:49Z",
"nvd_published_at": "2024-01-24T18:15:08Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password.\n\nThe URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password.\nThis token is highly sensitive ; as an attacker able to retrieve it would be able to resets the user\u0027s password.\n\nIt was identified during the audit that the reset-password URL is crafted using the \"Host\" HTTP header of the request sent to request a password reset.\n\nThis way, an external attacker could send password requests for users, but specify a \"Host\" header of a website that they control.\nIf the user receiving the mail clicks on the link, the attacker would retrieve the reset token of the victim and perform account takeover.\n\n### Details\n\nThis attack required the server to serve Pimcore on arbitrary \"Host\". This configuration would be plausible if the attacker is already behind the reverse proxy.\nDuring the assessment of my client, their instance was accepting any Host header, and they did not received security recommendations that they should restrict this while installing Pimcore.\n\nFrom what I understood of Pimcore, the vulnerability is in the \"admin-ui-classic-bundle\", in the file src/Controller/Admin/UserController.php.\n\nThe following screenshots provide evidences of the vulnerability. The environment of the test is : dockerized Pimcore v11.1.1 on default configuration (https://pimcore.com/docs/platform/Pimcore/Getting_Started/Installation/Docker_Based_Installation/).\n\n### PoC\n\n\n\n### Remediation\nCreate a variable that sets the server host.\nDon\u0027t enable password reset functionality while this variable is not set ; or make sure that the administrator knows what they are doing.\n\nI believe that just documenting that the server should not serve on any Host would not be enough to enforce a remediation to this vulnerability.\n\nThe Snipe-IT project managed this same issue by creating a \"APP_ALLOW_INSECURE_HOSTS\" variable, and retrieving the app absolute URL from a config file :[ https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc](https://github.com/snipe/snipe-it/commit/0c4768fd2a11ac26a61814cef23a71061bfd8bcc)\n\n### Impact\nCould lead to a 1-click account takeover\n",
"id": "GHSA-mrqg-mwh7-q94j",
"modified": "2024-01-24T20:54:49Z",
"published": "2024-01-24T20:54:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-mrqg-mwh7-q94j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23648"
},
{
"type": "WEB",
"url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655"
},
{
"type": "PACKAGE",
"url": "https://github.com/pimcore/admin-ui-classic-bundle"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Host header injection in the password reset"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…