{"vulnerability": "ghsa-vr5f-php7-rg24", "sightings": [{"uuid": "8a3675d9-4bbd-46ce-861d-0de6718f6d86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-VR5F-PHP7-RG24", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/3835", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-24980\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Description\nSummary\n\nPimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not.\n\nDetails\n-> error message discloses existing accounts and leads to user enumeration on the target via \"Forgot password\" function. since no generic error message is being implemented.\n\nPoC\n![image](https://github.com/user-attachments/assets/866e4cd1-25b2-4ed8-8292-6c528ae660d5)\n\n\nEnter first a valid account email address and click on submit\n![image](https://github.com/user-attachments/assets/7aaa1723-b0f9-4a76-b943-e1b01d1f37a9)\n\n\nA green message validating the account exists is shown and a login link is sent to the email\n![image](https://github.com/user-attachments/assets/7adb1f05-7339-4265-95c9-4d4817d4a6a1)\n\n\nnow go back and use a random email from temp-mail to test with a non existant account\n![image](https://github.com/user-attachments/assets/5ce0bb53-16c3-4f34-9541-9e01b49c7472)\n\n\n![image](https://github.com/user-attachments/assets/213e838f-0944-484e-93bf-7468ed9e699d)\n\n\nclick on submit and get an error in red that a problem occured\n![image](https://github.com/user-attachments/assets/c30dc56f-e612-46a0-945d-e9dc5f14da39)\n\n\nImpact\nuser enumeration is a confidentiality threat , that could potentially lead to an attacker to enumerate valid accounts and maybe taking over accounts in case combined with credential stuffing on an organisation .\n\nA remedition would be to change the error message in both cases ( valid and invalid emails ) to what we call a \"synchronised error \" it would be for example : \" if the given email address is linked to an account , then a login link would be sent to that email \" or something along those lines\n\ud83d\udccf Published: 2025-02-07T20:27:43Z\n\ud83d\udccf Modified: 2025-02-07T21:38:34Z\n\ud83d\udd17 References:\n1. https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24\n2. https://nvd.nist.gov/vuln/detail/CVE-2025-24980\n3. https://github.com/pimcore/admin-ui-classic-bundle/pull/808\n4. https://github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9\n5. https://github.com/pimcore/admin-ui-classic-bundle", "creation_timestamp": "2025-02-07T22:02:52.000000Z"}]}