VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 30, 2023· Updated Sep 6, 2024

Unverified Password Change in pimcore/admin-ui-classic-bundle

CVE-2023-5844

Description

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

"Unverified Password Change" in Pimcore Admin Classic Bundle prior to v1.2.0 allows an authenticated user to set the password to the current password, violating password change policy.

Vulnerability

CVE-2023-5844 is an unverified password change vulnerability in Pimcore's admin-ui-classic-bundle before version 1.2.0. The issue lies in the password reset functionality where the application does not verify that the new password is different from the current password. As noted in the security advisory, this means an authenticated user could set their password to the same value as the old password, effectively making the password change meaningless and violating standard password policy requirements [1][4].

Exploitation

Exploitation requires an authenticated session in the Pimcore admin interface. An attacker with valid credentials can navigate to "User | My Profile", change the password, and simply enter the current password as the new password. The server would accept this change without any validation that the new password differs from the old one [3][4]. The patch introduced a check using Tool\Authentication::verifyPassword to reject attempts where the new password matches the old password [3].

Impact

The primary impact is a circumvention of password rotation policies. An attacker who has gained temporary access to a legitimate session (e.g., via session hijacking or physical access) could reset the password to the original value, maintaining their access. For normal users, this could also allow them to bypass organizational password history requirements, weakening overall account security. The advisory describes it as a password policy violation [4].

Mitigation

The vulnerability is fixed in version 1.2.0 of the admin-ui-classic-bundle. Users should update to this version or apply the provided patch manually. The fix adds a validation that checks the old password against the new one and throws an exception if they match [3][4]. Note that the bundle has reached end of feature development, but bug fixes are still accepted until end of 2025 [2].

References
  1. NVD - CVE-2023-5844
  2. GitHub - pimcore/admin-ui-classic-bundle
  3. [Improvement]: Check if new password is NOT the same as the old one w… · pimcore/admin-ui-classic-bundle@498ac77
  4. Unverified Password Change

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pimcore/admin-ui-classic-bundlePackagist
< 1.2.0-RC11.2.0-RC1

Affected products

2

Patches

1
498ac77e5454

[Improvement]: Check if new password is NOT the same as the old one when resetting (#285)

https://github.com/pimcore/admin-ui-classic-bundleJiaJia JiSep 26, 2023via ghsa
commit
2 files changed · +6 0
  • CHANGELOG.md+1 0 modified
    @@ -1,5 +1,6 @@
 #### v1.2.0
  - DataObject used to automatically reload version after save, but now it's triggered only on successfull save. The reload can be forced by setting `forceReloadVersionsAfterSave` to `true` in a `postSaveObject` event listener.
+ - [User -> Settings] When resetting password, setting the new password same as the old one would throw an error.
 
 #### v1.1.0
  - `Pimcore\Bundle\AdminBundle\Service\ElementService` is marked as internal.
  • src/Controller/Admin/UserController.php+5 0 modified
    @@ -589,6 +589,11 @@ public function updateCurrentUserAction(Request $request, ValidatorInterface $va
                     }
 
                     if ($oldPasswordCheck && $values['new_password'] == $values['retype_password']) {
+
+                        if (Tool\Authentication::verifyPassword($user, $values['new_password'])) {
+                            throw new \Exception('The new password cannot be the same as the old one');
+                        }
+
                         $values['password'] = Tool\Authentication::getPasswordHash($user->getName(), $values['new_password']);
                     } else {
                         if (!$oldPasswordCheck) {

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.