Vulnerability-Lookup

CVE-2024-25625 (GCVE-0-2024-25625)

Vulnerability from cvelistv5 – Published: 2024-02-19 15:41 – Updated: 2024-08-14 13:47

Title

Pimcore Host Header Injection in user invitation link

Summary

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker's domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application's domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/pimcore/admin-ui-classic-bundl…	x_refsource_CONFIRM
	https://github.com/pimcore/admin-ui-classic-bundl…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	pimcore	admin-ui-classic-bundle	Affected: < 1.3.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:44:09.805Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
          },
          {
            "name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:pimcore:admin_classic_bundle:1.0.0:-:*:*:*:pimcore:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "admin_classic_bundle",
            "vendor": "pimcore",
            "versions": [
              {
                "lessThan": "1.3.4",
                "status": "affected",
                "version": "1.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-25625",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-14T13:46:22.717165Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-14T13:47:42.851Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "admin-ui-classic-bundle",
          "vendor": "pimcore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-19T15:41:29.147Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
        },
        {
          "name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
        }
      ],
      "source": {
        "advisory": "GHSA-3qpq-6w89-f7mx",
        "discovery": "UNKNOWN"
      },
      "title": "Pimcore Host Header Injection in user invitation link"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-25625",
    "datePublished": "2024-02-19T15:41:29.147Z",
    "dateReserved": "2024-02-08T22:26:33.511Z",
    "dateUpdated": "2024-08-14T13:47:42.851Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Pimcore Host Header Injection in user invitation link\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-74\", \"lang\": \"en\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"scope\": \"CHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx\"}, {\"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82\"}], \"affected\": [{\"vendor\": \"pimcore\", \"product\": \"admin-ui-classic-bundle\", \"versions\": [{\"version\": \"\u003c 1.3.4\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-19T15:41:29.147Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.\"}], \"source\": {\"advisory\": \"GHSA-3qpq-6w89-f7mx\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:44:09.805Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"], \"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx\"}, {\"name\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"], \"url\": \"https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82\"}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-25625\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-14T13:46:22.717165Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:pimcore:admin_classic_bundle:1.0.0:-:*:*:*:pimcore:*:*\"], \"vendor\": \"pimcore\", \"product\": \"admin_classic_bundle\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.0.0\", \"lessThan\": \"1.3.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-14T13:47:37.908Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-25625\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-02-08T22:26:33.511Z\", \"datePublished\": \"2024-02-19T15:41:29.147Z\", \"dateUpdated\": \"2024-08-14T13:47:42.851Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-25625

Vulnerability from gsd - Updated: 2024-02-09 06:02

Details

Aliases

CVE-2024-25625

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-25625"
      ],
      "details": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.",
      "id": "GSD-2024-25625",
      "modified": "2024-02-09T06:02:34.363534Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-25625",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "admin-ui-classic-bundle",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.3.4"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "pimcore"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-74",
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx",
            "refsource": "MISC",
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
          },
          {
            "name": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82",
            "refsource": "MISC",
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-3qpq-6w89-f7mx",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent."
          },
          {
            "lang": "es",
            "value": "El paquete Admin Classic de Pimcore proporciona una interfaz de usuario de backend para Pimcore. Se ha descubierto una posible vulnerabilidad de seguridad en `pimcore/admin-ui-classic-bundle` anterior a la versi\u00f3n 1.3.4. La vulnerabilidad implica una inyecci\u00f3n de encabezado de host en la funci\u00f3n `invitationLinkAction` del UserController, espec\u00edficamente en la forma en que `$loginUrl` conf\u00eda en la entrada del usuario. El encabezado del host de las solicitudes HTTP entrantes se utiliza de forma insegura al generar URL. Un atacante puede manipular el encabezado del host HTTP en solicitudes al ednpoint /admin/user/invitationlink, lo que genera la generaci\u00f3n de URL con el dominio del atacante. De hecho, si se inyecta un encabezado de host en la solicitud POST, el par\u00e1metro $loginURL se construye con este encabezado de host no validado. Luego se utiliza para enviar un correo electr\u00f3nico de invitaci\u00f3n al usuario proporcionado. Esta vulnerabilidad se puede utilizar para realizar ataques de phishing haciendo que las URL de los correos electr\u00f3nicos con enlaces de invitaci\u00f3n apunten a un dominio controlado por el atacante. La versi\u00f3n 1.3.4 contiene un parche para la vulnerabilidad. Los fabricantes recomiendan validar el encabezado del host y asegurarse de que coincida con el dominio de la aplicaci\u00f3n. Tambi\u00e9n ser\u00eda beneficioso utilizar un host o nombre de host confiable predeterminado si el encabezado del host entrante no se reconoce o est\u00e1 ausente."
          }
        ],
        "id": "CVE-2024-25625",
        "lastModified": "2024-02-20T19:50:53.960",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 1.7,
              "impactScore": 5.8,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-19T16:15:52.060",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-74"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2024-25625

Vulnerability from fkie_nvd - Published: 2024-02-19 16:15 - Updated: 2025-04-01 15:38

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82	Patch
security-advisories@github.com	https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx	Exploit, Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	pimcore	admin_classic_bundle	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*",
              "matchCriteriaId": "A1355BE1-E522-4E00-92A6-529F71D69903",
              "versionEndExcluding": "1.3.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pimcore\u0027s Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.  The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user. This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain. Version 1.3.4 contains a patch for the vulnerability. The maintainers recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent."
    },
    {
      "lang": "es",
      "value": "El paquete Admin Classic de Pimcore proporciona una interfaz de usuario de backend para Pimcore. Se ha descubierto una posible vulnerabilidad de seguridad en `pimcore/admin-ui-classic-bundle` anterior a la versi\u00f3n 1.3.4. La vulnerabilidad implica una inyecci\u00f3n de encabezado de host en la funci\u00f3n `invitationLinkAction` del UserController, espec\u00edficamente en la forma en que `$loginUrl` conf\u00eda en la entrada del usuario. El encabezado del host de las solicitudes HTTP entrantes se utiliza de forma insegura al generar URL. Un atacante puede manipular el encabezado del host HTTP en solicitudes al ednpoint /admin/user/invitationlink, lo que genera la generaci\u00f3n de URL con el dominio del atacante. De hecho, si se inyecta un encabezado de host en la solicitud POST, el par\u00e1metro $loginURL se construye con este encabezado de host no validado. Luego se utiliza para enviar un correo electr\u00f3nico de invitaci\u00f3n al usuario proporcionado. Esta vulnerabilidad se puede utilizar para realizar ataques de phishing haciendo que las URL de los correos electr\u00f3nicos con enlaces de invitaci\u00f3n apunten a un dominio controlado por el atacante. La versi\u00f3n 1.3.4 contiene un parche para la vulnerabilidad. Los fabricantes recomiendan validar el encabezado del host y asegurarse de que coincida con el dominio de la aplicaci\u00f3n. Tambi\u00e9n ser\u00eda beneficioso utilizar un host o nombre de host confiable predeterminado si el encabezado del host entrante no se reconoce o est\u00e1 ausente."
    }
  ],
  "id": "CVE-2024-25625",
  "lastModified": "2025-04-01T15:38:06.277",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 5.8,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.8,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-19T16:15:52.060",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-3QPQ-6W89-F7MX

Vulnerability from github – Published: 2024-02-20 23:44 – Updated: 2024-02-20 23:44

Summary

Pimcore Host Header Injection in user invitation link

Details

Overview

A potential security vulnerability discovered in pimcore/admin-ui-classic-bundle version up to v1.3.3 . The vulnerability involves a Host Header Injection in the invitationLinkAction function of the UserController, specifically in the way $loginUrl trusts user input.

Details

The host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker's domain.

In fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user.

Here is an excerpt from the affected section of UserController.php file:

// /src/Controller/Admin/UserController.php 
    public function invitationLinkAction(Request $request, TranslatorInterface $translator): JsonResponse
    {
            // ..snip..
                $token = Tool\Authentication::generateTokenByUser($user);
                $loginUrl = $this->generateCustomUrl([
                    'token' => $token,
                    'reset' => true,
                ]);

                try {
                    $mail = Tool::getMail([$user->getEmail()], 'Pimcore login invitation for ' . Tool::getHostname());
                    $mail->setIgnoreDebugMode(true);
                    $mail->text("Login to pimcore and change your password using the following link. This temporary login link will expire in  24 hours: \r\n\r\n" . $loginUrl);
                    $mail->send();
      // ..snip..
    }
    // ..snip..
    private function generateCustomUrl(array $params, string $fallbackUrl = 'pimcore_admin_login_check', int $referenceType = UrlGeneratorInterface::ABSOLUTE_URL): string
    {
        try {
            $adminEntryPointRoute = $this->getParameter('pimcore_admin.custom_admin_route_name');

            //try to generate invitation link for custom admin point
            $loginUrl = $this->generateUrl($adminEntryPointRoute, $params, $referenceType);
        } catch (\Exception $e) {
            //use default login check for invitation link
            $loginUrl = $this->generateUrl($fallbackUrl, $params, $referenceType);
        }

        return $loginUrl;
    }

The $loginUrl variable is constructed using the generateCustomUrl function. If an attacker injects a malicious host header into a POST request, the resulting $loginUrl will include the malicious domain, and this link is then sent via email to the user.

Proof of Concept

Here is an example of a request that exploits this vulnerability:

POST /admin/user/invitationlink HTTP/1.1 
Host: attacker-domain.evil 
Cookie: PHPSESSID=test
X-pimcore-extjs-version-major: 7
X-pimcore-extjs-version-minor: 0
X-Requested-With: XMLHttpRequest
X-pimcore-csrf-token: 961c37cf60edfdc2eec5a705cb048aaa8c32804d

username=[username of a valid user]

The URL in the email will look like: http://attacker-domain.evil/admin/login/login?token=[TOKEN]

Impact

This vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain.

Remediation

We recommend validating the host header and ensuring it matches the application's domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.

Similar vulnerability (CVE-2024-23648) has been fixed in this project (https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655)

Credit

Discovered by @v0lck3r (Oussama RAHALI), Feb 2024.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/admin-ui-classic-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-25625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-20T23:44:20Z",
    "nvd_published_at": "2024-02-19T16:15:52Z",
    "severity": "HIGH"
  },
  "details": "## Overview\n\nA potential security vulnerability discovered in `pimcore/admin-ui-classic-bundle` version up to v1.3.3 . The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input. \n\n## Details\n\nThe host header from incoming HTTP requests is used unsafely when generating URLs. An attacker can manipulate the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with the attacker\u0027s domain. \n\nIn fact, if a host header is injected in the POST request, the $loginURL parameter is constructed with this unvalidated host header. It is then used to send an invitation email to the provided user.\n\nHere is an excerpt from the affected section of UserController.php file:\n```\n// /src/Controller/Admin/UserController.php \n    public function invitationLinkAction(Request $request, TranslatorInterface $translator): JsonResponse\n    {\n            // ..snip..\n                $token = Tool\\Authentication::generateTokenByUser($user);\n                $loginUrl = $this-\u003egenerateCustomUrl([\n                    \u0027token\u0027 =\u003e $token,\n                    \u0027reset\u0027 =\u003e true,\n                ]);\n\n                try {\n                    $mail = Tool::getMail([$user-\u003egetEmail()], \u0027Pimcore login invitation for \u0027 . Tool::getHostname());\n                    $mail-\u003esetIgnoreDebugMode(true);\n                    $mail-\u003etext(\"Login to pimcore and change your password using the following link. This temporary login link will expire in  24 hours: \\r\\n\\r\\n\" . $loginUrl);\n                    $mail-\u003esend();\n      // ..snip..\n    }\n    // ..snip..\n    private function generateCustomUrl(array $params, string $fallbackUrl = \u0027pimcore_admin_login_check\u0027, int $referenceType = UrlGeneratorInterface::ABSOLUTE_URL): string\n    {\n        try {\n            $adminEntryPointRoute = $this-\u003egetParameter(\u0027pimcore_admin.custom_admin_route_name\u0027);\n\n            //try to generate invitation link for custom admin point\n            $loginUrl = $this-\u003egenerateUrl($adminEntryPointRoute, $params, $referenceType);\n        } catch (\\Exception $e) {\n            //use default login check for invitation link\n            $loginUrl = $this-\u003egenerateUrl($fallbackUrl, $params, $referenceType);\n        }\n\n        return $loginUrl;\n    }\n```\nThe $loginUrl variable is constructed using the generateCustomUrl function. If an attacker injects a malicious host header into a POST request, the resulting $loginUrl will include the malicious domain, and this link is then sent via email to the user.\n\n## Proof of Concept\n\nHere is an example of a request that exploits this vulnerability:\n```\nPOST /admin/user/invitationlink HTTP/1.1 \nHost: attacker-domain.evil \nCookie: PHPSESSID=test\nX-pimcore-extjs-version-major: 7\nX-pimcore-extjs-version-minor: 0\nX-Requested-With: XMLHttpRequest\nX-pimcore-csrf-token: 961c37cf60edfdc2eec5a705cb048aaa8c32804d\n\nusername=[username of a valid user]\n```\n\n\nThe URL in the email will look like: `http://attacker-domain.evil/admin/login/login?token=[TOKEN]`\n\n## Impact\n\nThis vulnerability can be used to perform phishing attacks by making the URLs in the invitation links emails point to an attacker-controlled domain.\n\n## Remediation\n\nWe recommend validating the host header and ensuring it matches the application\u0027s domain. It would also be beneficial to use a default trusted host or hostname if the incoming host header is not recognized or is absent.\n\nSimilar vulnerability (CVE-2024-23648) has been fixed in this project  (https://github.com/pimcore/admin-ui-classic-bundle/commit/70f2205b5a5ea9584721d4f3e803f4d0dd5e4655)\n\n## Credit\n\nDiscovered by @v0lck3r (Oussama RAHALI), Feb 2024.",
  "id": "GHSA-3qpq-6w89-f7mx",
  "modified": "2024-02-20T23:44:20Z",
  "published": "2024-02-20T23:44:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3qpq-6w89-f7mx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25625"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle/commit/b9fee9d383fc73dbd5e1d98dbb0ff3266d6b5a82"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/admin-ui-classic-bundle"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore Host Header Injection in user invitation link"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-25625 (GCVE-0-2024-25625)

GSD-2024-25625

FKIE_CVE-2024-25625

GHSA-3QPQ-6W89-F7MX

Overview

Details

Proof of Concept

Impact

Remediation

Credit

Tags

Sightings

Nomenclature