Moderate severityNVD Advisory· Published Feb 7, 2024· Updated Nov 7, 2024

Pimcore Admin Classic Bundle permissions are not getting checked when working with tags

CVE-2024-24822

Description

Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/admin-ui-classic-bundlePackagist	< 1.3.3	1.3.3

Affected products

Pimcore/Admin Ui Classic Bundlev5
Range: < 1.3.3

Patches

24660b6d5ad9

Fix: Tag access rights (#412)

https://github.com/pimcore/admin-ui-classic-bundlerobertSt7Feb 7, 2024via ghsa

commit

1 file changed · +6 −0

src/Controller/Admin/TagsController.php+6 −0 modified

@@ -41,6 +41,8 @@ class TagsController extends AdminAbstractController
      */
     public function addAction(Request $request): JsonResponse
     {
+        $this->checkPermission('tags_configuration');
+
         try {
             $tag = new Tag();
             $tag->setName(strip_tags($request->get('text', '')));
@@ -64,6 +66,8 @@ public function addAction(Request $request): JsonResponse
      */
     public function deleteAction(Request $request): JsonResponse
     {
+        $this->checkPermission('tags_configuration');
+
         $tag = Tag::getById((int) $request->get('id'));
         if ($tag) {
             $tag->delete();
@@ -85,6 +89,8 @@ public function deleteAction(Request $request): JsonResponse
      */
     public function updateAction(Request $request): JsonResponse
     {
+        $this->checkPermission('tags_configuration');
+
         $tag = Tag::getById((int) $request->get('id'));
         if ($tag) {
             $parentId = $request->get('parentId');

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3rfr-mpfj-2jwqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-24822ghsaADVISORY
github.com/pimcore/admin-ui-classic-bundle/commit/24660b6d5ad9cbcb037a48d4309a6024e9adf251ghsax_refsource_MISCWEB
github.com/pimcore/admin-ui-classic-bundle/pull/412ghsax_refsource_MISCWEB
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-3rfr-mpfj-2jwqghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000