Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2024-49370

Plaintext Storage of a Password

Published: Oct 23, 2024 | Modified: Nov 06, 2024
CVSS 3.x
4.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-49370
CWEhttps://cwe.mitre.org/data/definitions/256.html

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and Use Pimcore Backend Password is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of the Pimcore portal engine fix the issue.

Weakness

The product stores a password in plaintext within resources such as memory or files.

Affected Software

NameVendorStart VersionEnd Version
PimcorePimcore*3.1.16 (excluding)
PimcorePimcore4.0.0 (including)4.1.7 (excluding)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use