Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-fx6j-9pp6-ph36

GitHub Security Advisory

Pimcore vulnerable to disclosure of system and database information behind /admin firewall

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary

Navigating to `/admin/index/statistics` with a **logged in Pimcore user** (not an XmlHttpRequest because of this check: [IndexController:125](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40)) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.

> The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.

### Details

`/admin/index/statistics` returns the following JSON-response:
```
{
{
"instanceId": "...",
"pimcore_major_version": 11,
"pimcore_version": "v11.3.1",
"pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008",
"pimcore_platform_version": "v2024.2",
"php_version": "8.3.8",
"mysql_version": "10.11.8-MariaDB-ubu2204",
"bundles": [
// all installed bundles
],
"tables": [
// all tables and their row count, e.g:
{
"name": "users",
"rows": 2
},
]
}
```

Information about the Pimcore Version can also be seen here:

In a current Version:
![[image](https://github.com/user-attachments/assets/f0f478da-ceca-4bd5-a391-3fe8458fa3d2)](https://github.com/user-attachments/assets/f0f478da-ceca-4bd5-a391-3fe8458fa3d2)
![[image](https://github.com/user-attachments/assets/152f6ad7-2cb3-42eb-bf05-1066a3496d59)](https://github.com/user-attachments/assets/152f6ad7-2cb3-42eb-bf05-1066a3496d59)

In Pimcore Version 10.6.9:
![[image](https://github.com/user-attachments/assets/907fb8d8-81b3-450f-bdb0-3e6193bfc243)](https://github.com/user-attachments/assets/907fb8d8-81b3-450f-bdb0-3e6193bfc243)
![[image](https://github.com/user-attachments/assets/c4d89b88-f458-4023-a29f-d2ef652b2c3b)](https://github.com/user-attachments/assets/c4d89b88-f458-4023-a29f-d2ef652b2c3b)

### PoC

- [[Demo App](https://demo.pimcore.fun/admin)](https://demo.pimcore.fun/admin) with credentials user: admin and pass: demo
- Watching Network-Tab in Developer-Tools and looking for `/admin/index/statistics`

### Impact

Only for logged in Pimcore users possible.

### Workaround and Patch

We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok.
This resolves navigating to `/admin/index/statistics`.

```patch
diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php
--- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (revision dd81ef4c666b18c254333867a60f6ed455025076)
+++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php (date 1721225746781)
@@ -15,6 +15,7 @@

namespace Pimcore\Bundle\AdminBundle\Controller\Admin;

+use App\Constant\UserPermission;
use Doctrine\DBAL\Connection;
use Exception;
use Pimcore\Analytics\Google\Config\SiteConfigProvider;
@@ -142,6 +143,12 @@
throw $this->createAccessDeniedHttpException();
}

+ $user = $this->tokenResolver->getUser();
+
+ if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
+ throw $this->createAccessDeniedException();
+ }
+
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
````

For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11:

```php
<?php

namespace App\EventListener\Admin;

use App\Constant\UserPermission;
use Pimcore\Bundle\AdminBundle\Event\AdminEvents;
use Pimcore\Event\Admin\IndexActionSettingsEvent;
use Pimcore\Security\User\TokenStorageUserResolver;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

/**
* @deprecated and cannot be used in Pimcore 11
*/
class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface
{
public function __construct(private readonly TokenStorageUserResolver $tokenResolver)
{
}

public static function getSubscribedEvents()
{
return [
AdminEvents::INDEX_ACTION_SETTINGS => ['onIndexActionSettingsEvent'],
];
}

public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void
{
$user = $this->tokenResolver->getUser();
if ($user->isAdmin() || $user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
return;
}

$settings = $event->getSettings();
$settings['instanceId'] = '';
$settings['version'] = '';
$settings['build'] = '';
$event->setSettings($settings);
}
}
```

Affected Packages

Packagist pimcore/admin-ui-classic-bundle
Affected versions: 0 (fixed in 1.5.2)

Related CVEs

CVE-2024-41109

Key Information

GHSA ID
GHSA-fx6j-9pp6-ph36
Published
July 30, 2024 2:52 PM
Last Modified
July 30, 2024 3:44 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
pimcore/admin-ui-classic-bundle
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.