Packagist (Composer) package
pimcore/admin-ui-classic-bundle
pkg:composer/pimcore/admin-ui-classic-bundle
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23495 | — | >= 2.0.0-RC1, < 2.2.3 | 2.2.3 | Jan 15, 2026 | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e. | ||
| CVE-2025-30166 | — | < 1.7.6 | 1.7.6 | Apr 8, 2025 | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the altera | ||
| CVE-2025-24980 | — | < 1.7.4 | 1.7.4 | Feb 7, 2025 | pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addr | ||
| CVE-2024-41109 | — | < 1.5.2 | 1.5.2 | Jul 30, 2024 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their | ||
| CVE-2024-25625 | — | < 1.3.4 | 1.3.4 | Feb 19, 2024 | Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the U | ||
| CVE-2024-24822 | — | < 1.3.3 | 1.3.3 | Feb 7, 2024 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually. | ||
| CVE-2024-23646 | — | >= 1.0.0, < 1.3.2 | 1.3.2 | Jan 24, 2024 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user wit | ||
| CVE-2024-23648 | — | < 1.2.3 | 1.2.3 | Jan 24, 2024 | Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowin | ||
| CVE-2023-49075 | — | < 1.2.2 | 1.2.2 | Nov 28, 2023 | The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the | ||
| CVE-2023-47636 | — | < 1.2.1 | 1.2.1 | Nov 15, 2023 | The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) qu | ||
| CVE-2023-46722 | — | < 1.2.0 | 1.2.0 | Oct 31, 2023 | The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other mal | ||
| CVE-2023-5844 | — | < 1.2.0-RC1 | 1.2.0-RC1 | Oct 30, 2023 | Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0. | ||
| CVE-2023-42817 | — | < 1.1.2 | 1.1.2 | Sep 25, 2023 | Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively | ||
| CVE-2023-37280 | — | < 1.0.3 | 1.0.3 | Jul 11, 2023 | Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTM |
- CVE-2026-23495Jan 15, 2026affected >= 2.0.0-RC1, < 2.2.3fixed 2.2.3
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.
- CVE-2025-30166Apr 8, 2025affected < 1.7.6fixed 1.7.6
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the altera
- CVE-2025-24980Feb 7, 2025affected < 1.7.4fixed 1.7.4
pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addr
- CVE-2024-41109Jul 30, 2024affected < 1.5.2fixed 1.5.2
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics` with a logged in Pimcore user exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their
- CVE-2024-25625Feb 19, 2024affected < 1.3.4fixed 1.3.4
Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been discovered in `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the U
- CVE-2024-24822Feb 7, 2024affected < 1.3.3fixed 1.3.3
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.
- CVE-2024-23646Jan 24, 2024affected >= 1.0.0, < 1.3.2fixed 1.3.2
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create zip files from available files on the site. In the 1.x branch prior to version 1.3.2, parameter `selectedIds` is susceptible to SQL Injection. Any backend user wit
- CVE-2024-23648Jan 24, 2024affected < 1.2.3fixed 1.2.3
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to the the user requesting a password change an email containing an URL to reset its password. The URL sent contains a unique token, valid during 24 hours, allowin
- CVE-2023-49075Nov 28, 2023affected < 1.2.2fixed 1.2.2
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the
- CVE-2023-47636Nov 15, 2023affected < 1.2.1fixed 1.2.1
The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure (FPD) vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the load_file() (within a SQL Injection) qu
- CVE-2023-46722Oct 31, 2023affected < 1.2.0fixed 1.2.0
The Pimcore Admin Classic Bundle provides a backend UI for Pimcore. Prior to version 1.2.0, a cross-site scripting vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other mal
- CVE-2023-5844Oct 30, 2023affected < 1.2.0-RC1fixed 1.2.0-RC1
Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
- CVE-2023-42817Sep 25, 2023affected < 1.1.2fixed 1.1.2
Pimcore admin-ui-classic-bundle provides a Backend UI for Pimcore. The translation value with text including “%s” (from “%suggest%) is parsed by sprintf() even though it’s supposed to be output literally to the user. The translations may be accessible by a user with comparatively
- CVE-2023-37280Jul 11, 2023affected < 1.0.3fixed 1.0.3
Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based on the ExtJS framework. An admin who has not setup two factor authentication before is vulnerable for this attack, without need for any form of privilege, causing the application to execute arbitrary scripts/HTM