Moderate severityNVD Advisory· Published Feb 7, 2025· Updated Jan 16, 2026

Pimcore Admin Classic Bundle allows user enumeration

CVE-2025-24980

Description

pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/admin-ui-classic-bundlePackagist	< 1.7.4	1.7.4

Affected products

Pimcore/Admin Ui Classic Bundlev5
Range: < 1.7.4

Patches

96ae555578c3

[Security]: Avoid user enumeration via reset password link (#808)

https://github.com/pimcore/admin-ui-classic-bundleJiaJia JiJan 14, 2025via ghsa

commit

2 files changed · +7 −21

src/Controller/Admin/LoginController.php+2 −7 modified

@@ -274,18 +274,13 @@ public function lostpasswordAction(
 
             if ($error) {
                 Logger::error('Lost password service: ' . $error);
+                //to avoid timing based enumeration
+                usleep(random_int(50,200));
             }
         }
 
         $csrfProtection->regenerateCsrfToken($request->getSession());
 
-        if ($error) {
-            $params['reset_error'] = 'Please make sure you are entering a correct input.';
-            if ($error === 'user_reset_password_too_many_attempts') {
-                $params['reset_error'] = 'Too many attempts. Please retry later.';
-            }
-        }
-
         return $this->render('@PimcoreAdmin/admin/login/lost_password.html.twig', $params);
     }

templates/admin/login/lost_password.html.twig+5 −14 modified

@@ -3,20 +3,11 @@
 {% block content %}
 
     {% if app.request.method == 'POST' %}
-        {% if reset_error is not defined %}
-            <div class="text success">
-                {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
-                <br/>
-                {{ 'Please check your mailbox.'|trans([],'admin') }}
-            </div>
-        {% else %}
-            <div class="text error">
-                {{ 'An error occured when resetting password:'|trans([],'admin') }}
-                {{ reset_error|trans([],'admin') }}
-                <br/>
-                {{ 'Please retry again later or contact an administrator.'|trans([],'admin') }}
-            </div>
-        {% endif %}
+        <div class="text success">
+            {{ 'A temporary login link has been sent to your email address.'|trans([],'admin') }}
+            <br/>
+            {{ 'Please check your mailbox.'|trans([],'admin') }}
+        </div>
     {% else %}
         <div class="text info">
             {{ 'Enter your username and pimcore will send a login link to your email address'|trans([],'admin') }}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vr5f-php7-rg24ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-24980ghsaADVISORY
github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9ghsax_refsource_MISCWEB
github.com/pimcore/admin-ui-classic-bundle/pull/808ghsax_refsource_MISCWEB
github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000