Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-23648

CVE-2024-23648: Pimcore Admin Bundle Auth Bypass Flaw

CVE-2024-23648 is an authentication bypass flaw in Pimcore Admin Classic Bundle that allows attackers to hijack password reset tokens via Host header manipulation. This post covers technical details, affected versions, and patches.

Published:

CVE-2024-23648 Overview

CVE-2024-23648 is a host header injection vulnerability in Pimcore's Admin Classic Bundle, which provides the backend user interface for Pimcore content management. The password reset functionality constructs reset URLs using the Host HTTP header from the incoming request without validation. An attacker can submit a password reset request for any user while spoofing the Host header to point to an attacker-controlled domain. When the victim clicks the link in the resulting email, the reset token is transmitted to the attacker, enabling full account takeover. The flaw affects all versions prior to 1.2.3 and is tracked under [CWE-74] (Improper Neutralization of Special Elements in Output).

Critical Impact

Successful exploitation allows an unauthenticated attacker to hijack any Pimcore administrator or user account by stealing a 24-hour password reset token through a spoofed Host header.

Affected Products

  • Pimcore Admin Classic Bundle versions prior to 1.2.3
  • Pimcore deployments using the admin-ui-classic-bundle component
  • Any Pimcore backend exposing password reset functionality to the public internet

Discovery Timeline

  • 2024-01-24 - CVE-2024-23648 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2024-23648

Vulnerability Analysis

The vulnerability resides in the password reset flow handled by LoginController.php within the Pimcore Admin Classic Bundle. When a user requests a password reset, the application generates a one-time token valid for 24 hours and embeds it in a URL sent via email. The reset URL is assembled by reading the Host header directly from the inbound HTTP request rather than from a trusted server-side configuration value.

Because web servers commonly route requests based on Host, an attacker can issue a reset request for a target email address while supplying an arbitrary Host value pointing to their own domain. The application then emails the victim a link such as https://attacker.example/admin/login/login-check?token=<valid-token>. If the victim clicks the link, the attacker's server receives the valid token in the request logs and can use it against the legitimate Pimcore instance to set a new password.

Root Cause

The root cause is unsafe trust of the Host request header during URL generation. The controller did not pin link generation to a configured trusted hostname, allowing user-controlled input to dictate the destination domain of authentication-sensitive emails.

Attack Vector

Exploitation requires only network access to the Pimcore login endpoint and a single user interaction (clicking the emailed link). No prior authentication or privileges are needed. The attack chain is: (1) attacker submits POST /admin/login/lost-password with the victim's username and a spoofed Host header; (2) Pimcore emails the victim a reset link pointing to the attacker's domain; (3) the victim clicks the link and the token is exfiltrated; (4) the attacker replays the token against the real Pimcore host to reset the victim's password.

php
 use Pimcore\Logger;
 use Pimcore\Model\User;
 use Pimcore\Security\SecurityHelper;
+use Pimcore\SystemSettingsConfig;
 use Pimcore\Tool;
 use Pimcore\Tool\Authentication;
 use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Google\GoogleAuthenticatorInterface;

Source: Pimcore patch commit 70f2205. The patch introduces SystemSettingsConfig into LoginController.php so reset URLs are derived from a trusted, server-side configured hostname instead of the inbound Host header.

Detection Methods for CVE-2024-23648

Indicators of Compromise

  • Outbound DNS or HTTP traffic from Pimcore mail recipients to unknown domains matching the pattern of password reset URLs.
  • Password reset emails containing links whose hostnames do not match the organization's canonical Pimcore domain.
  • Web server access logs showing POST requests to /admin/login/lost-password with Host header values that differ from the server's expected FQDN.

Detection Strategies

  • Parse Pimcore and reverse proxy access logs for Host header values that are not in an allow-list of approved hostnames.
  • Correlate mail server logs with web logs to identify reset emails generated from requests bearing anomalous Host headers.
  • Monitor for repeated password reset requests targeting administrative accounts originating from a single IP or short time window.

Monitoring Recommendations

  • Alert on any HTTP request to authentication endpoints where the Host header does not match a configured production hostname.
  • Log the source IP, user agent, and target username for every password reset request and review for anomalies.
  • Track outbound clicks from Pimcore-generated emails through a mail security gateway to flag links pointing to non-corporate domains.

How to Mitigate CVE-2024-23648

Immediate Actions Required

  • Upgrade Pimcore Admin Classic Bundle to version 1.2.3 or later, which derives reset URLs from server-side configuration.
  • Invalidate any outstanding password reset tokens issued before the upgrade and force re-issuance through a trusted channel.
  • Audit recent password reset events and authentication logs for evidence of unauthorized account changes.

Patch Information

The fix is delivered in commit 70f2205 of the admin-ui-classic-bundle repository and is included in release 1.2.3. Details are published in the Pimcore GHSA-mrqg-mwh7-q94j security advisory. The patch wires SystemSettingsConfig into LoginController.php so reset link generation no longer trusts the inbound Host header.

Workarounds

  • Configure the upstream reverse proxy or web server to reject requests whose Host header does not match an allow-list of approved hostnames.
  • In Symfony framework configuration, set framework.trusted_hosts to constrain accepted Host values to the canonical Pimcore domain.
  • Restrict access to the /admin/login/lost-password endpoint via IP allow-listing or a VPN until patching is complete.
bash
# Symfony trusted_hosts configuration example (config/packages/framework.yaml)
framework:
    trusted_hosts:
        - '^pimcore\.example\.com$'
        - '^admin\.pimcore\.example\.com$'

# Nginx-level Host header validation
server {
    listen 443 ssl;
    server_name pimcore.example.com;
    if ($host !~* ^(pimcore\.example\.com)$) {
        return 444;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne