Pimcore Admin-Ui-Classic-Bundle vulnerabilities

CVE-2026-23495 [MEDIUM] CWE-284 Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing ### Summary The API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across document

CVE-2025-30166 [LOW] CWE-79 CVE-2025-30166: Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows use Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content. The vulnerability was discovered in the /admin/email/

CVE-2025-24980 [MEDIUM] CWE-204 CVE-2025-24980: pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error mes pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are

CVE-2024-45048 [MEDIUM] Pimcore includes vulnerable PHPOffice/PhpSpreadsheet Pimcore includes vulnerable PHPOffice/PhpSpreadsheet ### Summary Pimcore 10.6.x and Enterprise 10.6.x versions currently depend on PHPOffice/PhpSpreadsheet version 1.x, which has recently been identified with a security vulnerability (CVE-2024-45048). To mitigate this issue, it is recommended to update to the latest version 2.2.2. For more details, please refer to the official advisory: [GHSA-ghg6-32f9-2jp7](https://gi

CVE-2024-41109 [MEDIUM] CWE-200 CVE-2024-41109: Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/ Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, a

CVE-2024-25625 [CRITICAL] CWE-74 CVE-2024-25625: Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, specifically in the way `$loginUrl` trusts user input.

CVE-2024-24822 [CRITICAL] CWE-862 CVE-2024-24822: Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3 Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.

CVE-2024-23646 [HIGH] CWE-89 CVE-2024-23646: Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alt

CVE-2024-23648 [HIGH] CWE-74 CVE-2024-23648: Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset fun Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowing the user to reset its password. This token is highly sensitive ; as an a

CVE-2023-49075 [HIGH] CWE-308 CVE-2023-49075: The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFact The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

CVE-2023-47636 [MEDIUM] CWE-209 CVE-2023-47636: The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulne The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) query to view the page source, require the attacker to have the full path

CVE-2023-46722 [MEDIUM] CWE-79 CVE-2023-46722: The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross- The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Users should upgrade to version 1.2.0 to receive a patch o

CVE-2023-5844 [MEDIUM] CWE-287 pimcore/admin-ui-classic-bundle Unverified Password Change pimcore/admin-ui-classic-bundle Unverified Password Change ### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new pass

CVE-2023-42817 [MEDIUM] CWE-79 CVE-2023-42817: Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text i Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively lower overall access (as the translation permission cannot be scoped to

CVE-2023-37280 [MEDIUM] CWE-79 CVE-2023-37280: Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admi Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTML content. This vulnerability has been patched in version 1.0.3.