Observable Response Discrepancy

CVE-2025-24980

Medium

6.9/10

Summary

pimcore/admin-ui-classic-bundle provides a backend UI for Pimcore. In affected versions, an error message discloses existing accounts and leads to user enumeration on the target via the "Forgot password" function. No generic error message has been implemented. The vulnerability affects versions prior to 1.7.4, and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-204 - Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

Advisory
Pull request
Release Note

Advisory Timeline

Published Feb 07, 2025

Observable Response Discrepancy

CVE-2025-24980

Summary

CWE-204 - Observable Response Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS