Skip to main content

Observable Response Discrepancy

CVE-2021-39189

Severity Medium
Score 5.3/10

Summary

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-204 - Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

Advisory Timeline

  • Published