Pimcore Admin UI Classic Bundle User Enumeration Vulnerability

A user enumeration vulnerability has been identified in the Pimcore Admin UI Classic Bundle, affecting versions prior to 1.7.4. This vulnerability arises from the 'Forgot Password' function, which does not provide a generic error message. Instead, it discloses whether an account exists based on the email input, allowing attackers to enumerate valid accounts. This issue could lead to unauthorized access if combined with password spraying attacks.

Impact

Exploitation of this vulnerability allows for user enumeration, which could lead to account takeover through credential stuffing attacks.

Reproduction

To reproduce this vulnerability, enter a valid email address into the 'Forgot Password' form. A success message will confirm the account exists. Then, input a non-existent email address to receive a generic error message. This discrepancy can be exploited to determine valid accounts.

Remediation

Users are advised to upgrade to version 1.7.4 or later. Additionally, the error messaging for the 'Forgot Password' function should be standardized to avoid disclosing whether an account exists.