CVE-2021-39189

Observable Response Discrepancy in Lost Password Service

CVSS 5.3 MEDIUMEPSS 1.2%CWE-204

In short

Pimcore's password reset feature reveals whether a username exists in the system through observable differences in the response, allowing attackers to discover valid user accounts.

Technical detail

An attacker can enumerate valid usernames by submitting password reset requests and observing response discrepancies (CWE-204), which leak information about account existence without authentication. This requires only network access to the forgot password endpoint and impacts confidentiality of user account information.

Summary generated and translated by AI from the official description.

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

pimcore · pimcore

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce https://github.com/pimcore/pimcore/pull/10223.patch https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9 https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/