CVE-2023-5844

Description

### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### Workarounds Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### References https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

How to fix CVE-2023-5844

To remediate CVE-2023-5844, upgrade the affected package to a fixed version below.

• —upgrade to 1.2.0-RC1 or later

Is CVE-2023-5844 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.2.0-RC1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-5844
• PATCHgithub.com/pimcore/admin-ui-classic-bundle
• WEBgithub.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
• WEBgithub.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-6f58-j323-6472