CVE-2025-24980 - Vulnerability Details

pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Pimcore	Admin Classic Bundle

Configuration 1 [-]

cpe:2.3:a:pimcore:admin_classic_bundle:*:*:*:*:*:pimcore:*:*

No data.

References

Link	Providers
https://github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9
https://github.com/pimcore/admin-ui-classic-bundle/pull/808
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24

History

Fri, 16 Jan 2026 17:30:00 +0000

Type	Values Removed	Values Added
Title	User enumeration in pimcore/admin-ui-classic-bundle	Pimcore Admin Classic Bundle allows user enumeration
References		https://github.com/pimcore/admin-ui-classic-bundle/commit/96ae555578c3b4df368092d71e07a6c4ddf8fbe9 https://github.com/pimcore/admin-ui-classic-bundle/pull/808

Tue, 04 Nov 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pimcore Pimcore admin Classic Bundle
CPEs		cpe:2.3:a:pimcore:admin_classic_bundle::::::pimcore::*
Vendors & Products		Pimcore Pimcore admin Classic Bundle
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Fri, 07 Feb 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 07 Feb 2025 20:15:00 +0000

Type	Values Removed	Values Added
Description		pimcore/admin-ui-classic-bundle provides a Backend UI for Pimcore. In affected versions an error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. No generic error message has been implemented. This issue has been addressed in version 1.7.4 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Title		User enumeration in pimcore/admin-ui-classic-bundle
Weaknesses		CWE-204
References		https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-vr5f-php7-rg24
Metrics		cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-02-07T19:56:10.439Z

Updated: 2026-01-16T17:17:53.971Z

Reserved: 2025-01-29T15:18:03.212Z

Link: CVE-2025-24980

Vulnrichment

Updated: 2025-02-07T21:13:34.757Z

NVD

Status : Modified

Published: 2025-02-07T20:15:33.933

Modified: 2026-01-16T18:16:06.993

Link: CVE-2025-24980

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object