Moderate severityNVD Advisory· Published Jul 30, 2024· Updated Aug 2, 2024
Pimcore vulnerable to disclosure of system and database information behind /admin firewall
CVE-2024-41109
Description
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to /admin/index/statistics with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system. This vulnerability is fixed in 1.5.2, 1.4.6, and 1.3.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/admin-ui-classic-bundlePackagist | < 1.5.2 | 1.5.2 |
Affected products
1- Range: < 1.5.2
Patches
2022e87f147eaAdd missing workflow_transition_unsaved_data string (#624)
1 file changed · +2 −1
translations/admin.en.yaml+2 −1 modified@@ -790,6 +790,7 @@ there_are_more_items: 'There are more items than displayed' workflow_actions: Actions workflow_notes_requred_field_message: '"%s" is a required field.' workflow_transition_applied_successfully: 'Action applied successfully' +workflow_transition_unsaved_data: 'Your data changes have not been saved yet. Please, save changes before applying workflow transition.' workflow_change_email_notification_subject: "Workflow update for %s in workflow '%s'" workflow_details: 'Workflow Details' workflow_graph: 'Workflow Graph' @@ -1020,4 +1021,4 @@ female: Female pdf_js_unsafe: This PDF file contains JavaScript. If you want to view it, please download and open it in your local PDF viewer. pdf_scan_in_progress: 'Preview not available: PDF is being scanned. This may take a while.' invalid_option: 'Invalid Option field [ {field} ]: Please choose a valid option for select / multiselect field [ {field} ]. Current value: "{option}"' -respect_timezone: 'Respect timezone' \ No newline at end of file +respect_timezone: 'Respect timezone'
afa10bff2f8b[Security]: Disclosed system and database information behind /admin firewall via statistics (#625)
3 files changed · +36 −12
config/services.yaml+6 −0 modified@@ -18,6 +18,12 @@ services: public: true tags: ['controller.service_arguments'] + Pimcore\Bundle\AdminBundle\Controller\Admin\IndexController: + public: true + arguments: + $httpClient: '@pimcore.http_client' + tags: [ 'controller.service_arguments' ] + # # COMMANDS #
public/js/pimcore/startup.js+12 −10 modified@@ -562,19 +562,21 @@ Ext.onReady(function () { request.open('GET', Routing.generate('pimcore_admin_index_statistics')); request.setRequestHeader('X-Requested-With', 'XMLHttpRequest'); - request.onload = function () { - if (this.status >= 200 && this.status < 400) { - var res = Ext.decode(this.response); + if (pimcore.currentuser.admin) { + request.onload = function () { + if (this.status >= 200 && this.status < 400) { + var res = Ext.decode(this.response); - var request = new XMLHttpRequest(); - request.open('POST', "https://liveupdate.pimcore.org/statistics"); + var request = new XMLHttpRequest(); + request.open('POST', "https://liveupdate.pimcore.org/statistics"); - var data = new FormData(); - data.append('data', encodeURIComponent(JSON.stringify(res))); + var data = new FormData(); + data.append('data', encodeURIComponent(JSON.stringify(res))); - request.send(data); - } - }; + request.send(data); + } + }; + } request.send(data); } }
src/Controller/Admin/IndexController.php+18 −2 modified@@ -18,6 +18,7 @@ use Doctrine\DBAL\Connection; use Exception; +use GuzzleHttp\ClientInterface; use Pimcore\Bundle\AdminBundle\Controller\AdminAbstractController; use Pimcore\Bundle\AdminBundle\Event\AdminEvents; use Pimcore\Bundle\AdminBundle\Event\IndexActionSettingsEvent; @@ -61,7 +62,8 @@ class IndexController extends AdminAbstractController implements KernelResponseE { public function __construct( protected EventDispatcherInterface $eventDispatcher, - protected TranslatorInterface $translator + protected TranslatorInterface $translator, + protected ClientInterface $httpClient ) { } @@ -156,7 +158,21 @@ public function statisticsAction(Request $request, Connection $db, KernelInterfa $data = []; } - return $this->adminJson($data); + if ($this->getAdminUser()->isAdmin()) { + return $this->adminJson($data); + } + + $response = $this->httpClient->request( + 'POST', + 'https://liveupdate.pimcore.org/statistics', + [ + 'body' => json_encode($data), + ] + ); + + return $this->adminJson([ + 'success' => ($response->getStatusCode() >= 200 && $response->getStatusCode() < 400), + ]); } protected function addRuntimePerspective(array &$templateParams, User $user): static
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fx6j-9pp6-ph36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41109ghsaADVISORY
- github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.phpghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/commit/afa10bff2f8bfe9c8af7b6b75885bc403f6984f0ghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2ghsax_refsource_MISCWEB
- github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-fx6j-9pp6-ph36ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.