Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2024-49370

Plaintext Storage of a Password

Published: Oct 23, 2024 | Modified: Nov 06, 2024
CVSS 3.x
4.9
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2024-49370
CWEhttps://cwe.mitre.org/data/definitions/256.html

Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and Use Pimcore Backend Password is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and 3.1.16 of the Pimcore portal engine fix the issue.

Weakness

Storing a password in plaintext may result in a system compromise.

Affected Software

Name Vendor Start Version End Version
Pimcore Pimcore * 3.1.16 (excluding)
Pimcore Pimcore 4.0.0 (including) 4.1.7 (excluding)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2025 Aqua Security Software Ltd.   Privacy Policy | Terms of Use