CVE-2023-49075
CVE-2023-49075 is a high-severity vulnerability in Pimcore Admin Classic Bundle with a CVSS 3.x base score of 8.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-308.
Key facts
- Severity: High (CVSS 3.x base score 8.4)
- EPSS exploit prediction: 1% (70th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-308
- Affected product: Pimcore Admin Classic Bundle
- Published:
- Last modified:
Description
The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
Frequently asked questions
- What is CVE-2023-49075?
- The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.
- How severe is CVE-2023-49075?
- CVE-2023-49075 has a CVSS 3.x base score of 8.4, rated high severity. It is exploitable over network with low attack complexity, requires high privileges and user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-49075 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (70th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-49075?
- CVE-2023-49075 affects Pimcore Admin Classic Bundle. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-49075?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2023-49075 published?
- CVE-2023-49075 was published on 2023-11-28 and last updated on 2026-06-17.
References
- https://github.com/pimcore/admin-ui-classic-bundle/commit/e412b0597830ae564a604e2579eb40e76f7f0628
- https://github.com/pimcore/admin-ui-classic-bundle/pull/345
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-9wwg-r3c7-4vfg
- https://patch-diff.githubusercontent.com/raw/pimcore/admin-ui-classic-bundle/pull/345.patch
Affected products (1)
- cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*
More vulnerabilities in Pimcore Admin Classic Bundle
- CVE-2024-23646 — High (CVSS 8.8): Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The application allows users to create…
- CVE-2024-23648 — High (CVSS 8.8): Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. The password reset functionality sends to…
- CVE-2024-25625 — High (CVSS 8.1): Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. A potential security vulnerability has been…
- CVE-2023-5844 — High (CVSS 7.2): Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.
- CVE-2024-24822 — Medium (CVSS 6.5): Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can…
- CVE-2024-41109 — Medium (CVSS 6.3): Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Navigating to `/admin/index/statistics`…
All CVEs affecting Pimcore Admin Classic Bundle →
Other CWE-308 vulnerabilities
- CVE-2026-45749 — High (CVSS 8.1): Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST…
- CVE-2025-42959 — High (CVSS 8.1): An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential,…
- CVE-2024-47652 — High (CVSS 8.1): This vulnerability exists in Shilpi Client Dashboard due to implementation of inadequate authentication mechanism in…
- CVE-2024-27928 — Medium (CVSS 5.9): vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks…
- CVE-2026-56022 — Medium (CVSS 5.3): Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header,…
- CVE-2023-25681 — Medium (CVSS 5.3): LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still…