CVE-2024-24822: Pimcore Admin Classic Bundle permissions are not getting checked when working with tags
First published: Wed Feb 07 2024(Updated: )
### Impact You can create, delete etc. tags without having the permission to do so. This vulnerability allows an attacker to perform broken access control and add tags to admin panel and add dumy data. One can do this as intruder and add text parameters with random numbers and this will effect integrity and availability. ### Patches Available in version 1.3.3. ### Workarounds Apply this pull request manually: https://github.com/pimcore/admin-ui-classic-bundle/pull/412 ### References -
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/pimcore/admin-ui-classic-bundle | <1.3.3 | 1.3.3 |
| Pimcore admin-ui-classic-bundle | <1.3.3 |
Remedy
https://github.com/pimcore/admin-ui-classic-bundle/commit/24660b6d5ad9cbcb037a48d4309a6024e9adf251
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3rfr-mpfj-2jwq
- https://github.com/pimcore/admin-ui-classic-bundle/pull/412
- https://github.com/pimcore/admin-ui-classic-bundle/commit/24660b6d5ad9cbcb037a48d4309a6024e9adf251
- https://nvd.nist.gov/vuln/detail/CVE-2024-24822
- https://github.com/advisories/GHSA-3rfr-mpfj-2jwq (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-24822?
CVE-2024-24822 is classified as a medium severity vulnerability due to broken access control in the affected software.
How do I fix CVE-2024-24822?
To fix CVE-2024-24822, upgrade to the latest version of the Pimcore Admin UI Classic Bundle beyond 1.3.3.
What are the potential impacts of CVE-2024-24822?
CVE-2024-24822 allows unauthorized users to create and delete tags, leading to possible data manipulation.
Which versions are affected by CVE-2024-24822?
CVE-2024-24822 affects Pimcore Admin UI Classic Bundle version 1.3.3 and earlier.
Who is vulnerable to CVE-2024-24822?
Any users of the Pimcore Admin UI Classic Bundle versions up to 1.3.3 are vulnerable to CVE-2024-24822.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/description
- agent/references
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3rfr-mpfj-2jwq
- alias/CVE-2024-24822
- agent/software-canonical-lookup
- agent/title
- collector/github-advisory
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/pimcore
- canonical/pimcore admin-ui-classic-bundle