Skip to main content

Admin Classic Bundle CVE-2023-47636

MEDIUM
Error Message Information Leak (CWE-209)
2023-11-15 security-advisories@github.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 15, 2023 - 20:15 nvd
MEDIUM 5.3

DescriptionNVD

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)". This issue has been patched in commit 10d178ef771 which has been included in release version 1.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

AnalysisAI

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-209. The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path to the file they wish to view. In the case of pimcore, the fopen() function here doesn't have an error handle when the file doesn't exist on the server so the server response raises the full path "fopen(/var/www/html/var/tmp/export-{ uniqe id}.csv)". This issue has been patched in commit 10d178ef771 which has been included in release version 1.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Pimcore Admin Classic Bundle. Version information: version 1.2.1..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2024-25625 CRITICAL POC
9.3 Feb 19

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Rated critical severity (CVSS 9.3), this vulnerability

CVE-2024-23646 HIGH POC
8.8 Jan 24

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Rated high severity (CVSS 8.8), this vulne

CVE-2024-23648 HIGH POC
8.8 Jan 24

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Rated high severity (CVSS 8.8), this vulne

CVE-2023-5844 HIGH POC
7.2 Oct 30

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0. Rated high severity (CVS

CVE-2024-41109 MEDIUM POC
6.5 Jul 30

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Rated medium severity (CVSS 6.5), this vul

CVE-2024-24822 CRITICAL
9.1 Feb 07

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Rated critical severity (CVSS 9.1), this v

CVE-2026-23495 MEDIUM POC
4.3 Jan 15

Pimcore Admin Classic Bundle versions prior to 2.2.3 and 1.7.16 fail to enforce proper authorization on the Predefined P

CVE-2023-49075 HIGH
7.2 Nov 28

The Admin Classic Bundle provides a Backend UI for Pimcore. Rated high severity (CVSS 7.2), this vulnerability is remote

CVE-2023-46722 MEDIUM
6.1 Oct 31

The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2023-37280 MEDIUM
6.1 Jul 11

Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. Rated medium severity (CVSS

CVE-2023-42817 MEDIUM
5.4 Sep 25

Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. Rated medium severity (CVSS 5.4), this vulnerability

CVE-2025-30166 LOW
1.8 Apr 08

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Rated low severity (CVSS 1.8), this vulnerability is r

Share

CVE-2023-47636 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy