Get tailored security recommendations from our analyst team for CVE-2024-49370. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of the Pimcore portal engine fix the issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

pimcore

Affected Versions:

< 3.1.16 >= 4.0.0, < 4.1.7

pimcore

Affected Versions:

0 4.0.0

References

https://github.com/pimcore/pimcore/security/advisories/GHSA-74p5-77rq-gfqc

Published: 2024-10-23T15:10:34.393Z

Last Modified: 2024-10-23T17:29:27.020Z

Copied to clipboard!

CVE-2024-49370

Expert Analysis

Description

Available Exploits

Related News

Affected Products

pimcore

Affected Versions:

pimcore

Affected Versions:

References

Request Analysis

What to expect

Request Received!