What is the severity of CVE-2023-5844?

The severity of CVE-2023-5844 is medium with a CVSS score of 4.3.

What is the impact of CVE-2023-5844?

CVE-2023-5844 allows an attacker to set an old password as the new password in Pimcore, violating password policy.

How can an attacker exploit CVE-2023-5844?

To exploit CVE-2023-5844, an attacker can go to the Admin link, log in, and click on "User | My Profile" to set an old password as the new password.

What is the affected software of CVE-2023-5844?

The affected software of CVE-2023-5844 is pimcore/admin-ui-classic-bundle version up to exclusive 1.2.0.

Is there a fix for CVE-2023-5844?

Yes, the fixed version for CVE-2023-5844 is pimcore/admin-ui-classic-bundle version 1.2.0 or later.

Vulnerability/
CVE-2023-5844

high

7.2

CWE

620 287

EPSS

0.050%

30/10/2023

31/10/2023

6/9/2024

CVE-2023-5844: Unverified Password Change in pimcore/admin-ui-classic-bundle

First published: Mon Oct 30 2023(Updated: )

### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### Workarounds Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### References https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

Credit: security@huntr.dev security@huntr.dev

Affected Software	Affected Version	How to fix
Pimcore Admin Classic Bundle	<1.2.0
composer/pimcore/admin-ui-classic-bundle	<1.2.0	1.2.0

Remedy

https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-5844?
The severity of CVE-2023-5844 is medium with a CVSS score of 4.3.
What is the impact of CVE-2023-5844?
CVE-2023-5844 allows an attacker to set an old password as the new password in Pimcore, violating password policy.
How can an attacker exploit CVE-2023-5844?
To exploit CVE-2023-5844, an attacker can go to the Admin link, log in, and click on "User | My Profile" to set an old password as the new password.
What is the affected software of CVE-2023-5844?
The affected software of CVE-2023-5844 is pimcore/admin-ui-classic-bundle version up to exclusive 1.2.0.
Is there a fix for CVE-2023-5844?
Yes, the fixed version for CVE-2023-5844 is pimcore/admin-ui-classic-bundle version 1.2.0 or later.

collector/nvd-api
collector/github-advisory-latest
alias/GHSA-6f58-j323-6472
alias/CVE-2023-5844
collector/nvd-cve
collector/github-advisory
agent/weakness
agent/author
agent/type
agent/last-modified-date
agent/softwarecombine
agent/first-publish-date
agent/references
agent/severity
agent/title
agent/remedy
agent/event
agent/tags
collector/epss-latest
source/FIRST
agent/description
agent/epss
collector/mitre-cve
source/MITRE
vendor/pimcore
canonical/pimcore admin classic bundle
package-manager/composer