Vulnerability: Bypassing Two-Factor Authentication in Pimcore Admin Classic Bundle

Vulnerability: Bypassing Two-Factor Authentication in Pimcore Admin Classic Bundle

CVE-2023-49075 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

Learn more about our User Device Pen Test.