CVE-2024-25625

Summary

CVE-2024-25625 is a potential security vulnerability in Pimcore's Admin Classic Bundle, specifically in the `pimcore/admin-ui-classic-bundle` prior to version 1.3.4. The vulnerability involves a Host Header Injection in the `invitationLinkAction` function of the UserController, where the `$loginUrl` trusts user input. This vulnerability can be exploited by manipulating the HTTP host header in requests to the /admin/user/invitationlink endpoint, resulting in the generation of URLs with an attacker's domain. By sending invitation links with URLs pointing to an attacker-controlled domain, phishing attacks can be conducted. The vulnerability has a base severity rating of HIGH and requires HIGH privileges and user interaction for exploitation. Remediating this vulnerability involves updating to version 1.3.4 or later of `pimcore/admin-ui-classic-bundle`.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.