CVE-2021-39189

pimcore/pimcore

on github

Published

September 15, 2021

Severity

CVSS v3:

5.3 MEDIUM

CVSS v2:

5 MEDIUM

Description

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

References

https://github.com/pimcore/pimcore/pull/10223.patch
https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9
https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/
https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca039132bdfcbb0dce

Configurations

CPE23	Version Start	Version End	Exact Version
cpe:2.3:a:pimcore:pimcore::::::::	n/a	10.1.3	*

External Links

NVD - CVE-2021-39189