CVE-2023-49075 — Pimcore Admin UI has Two Factor Authentication disabled for non admin security f

Description

### Impact `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the 2 factor credentials. ### Patches Apply patch https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch ### Workarounds Upgrade to version 1.2.2 or apply the [patch](https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch) manually.

How to fix CVE-2023-49075

To remediate CVE-2023-49075, upgrade the affected package to a fixed version below.

—upgrade to 1.2.2 or later

Is CVE-2023-49075 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-49075
PATCHgithub.com/pimcore/admin-ui-classic-bundle
WEBgithub.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
WEBgithub.com/pimcore/admin-ui-classic-bundle/pull/345