CVE-2021-39189

low-risk
Published 2021-09-15

Pimcore is an open source data & experience management platform. In versions prior to 10.1.3, it is possible to enumerate usernames via the forgot password functionality. This issue is fixed in version 10.1.3. As a workaround, one may apply the available patch manually.

Do I need to act?

-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Pimcore

References (8)

Patch https://github.com/pimcore/pimcore/pull/10223.patch
Patch https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca03...
Third Party Advisory https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9
Third Party Advisory https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/
Patch https://github.com/pimcore/pimcore/pull/10223.patch
Patch https://github.com/pimcore/pimcore/pull/10223/commits/d0a4de39cf05dce6af71f8ca03...
Third Party Advisory https://github.com/pimcore/pimcore/security/advisories/GHSA-579x-cjvr-cqj9
Third Party Advisory https://huntr.dev/bounties/12462a99-ebf8-4e39-80b3-54a16caa3f4c/
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal