Pimcore Admin Classic Bundle Predefined Properties Authorization Bypass Vulnerability

A vulnerability exists in the Pimcore Admin Classic Bundle's API endpoint for listing Predefined Properties, affecting versions prior to 2.2.3 and 1.7.16. The endpoint lacks proper server-side authorization checks, allowing authenticated backend users without property management permissions to access and retrieve the full list of Predefined Properties. These properties are essential metadata definitions used across various Pimcore assets to standardize custom attributes and enhance editorial workflows. The absence of adequate authorization can lead to unauthorized access to sensitive configuration details, potentially facilitating further attacks within Pimcore's multi-user environment.

Impact

This vulnerability allows low-privileged users to enumerate all Predefined Properties, exposing internal metadata schemas and configuration details that could reveal business logic or sensitive defaults. In a PIM system like Pimcore, this could lead to unauthorized alterations of asset or object properties, with potential compliance breaches for organizations handling regulated content.

Reproduction

To reproduce this vulnerability, log in as an authenticated backend user without explicit permissions for property management. Access the 'Predefined Properties' API endpoint, which will return the complete list of properties despite the lack of authorization. This can be done by copying the 'Cookie' and 'X-Pimcore-Csrf-Token' from the request and pasting them into the API call.

Remediation

Users can upgrade to Pimcore Admin Classic Bundle versions 2.2.3 or 1.7.16, where this vulnerability has been patched.