Miggo Logo
Miggo Vulnerability Database
CVE-2019-18985

CVE-2019-18985: Pimcore 2FA Vulnerable to Brute Forcing

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-18985
GHSA ID
GHSA-hf62-5vxh-jpwj
EPSS Score
0.00414%
CWE
CWE-307
Published
5/24/2022
Updated
8/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/pimcorecomposer< 6.2.26.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The critical vulnerability stems from missing brute force protection in the 2FA verification endpoint. The commit 9f2d075 adds BruteforceProtectionHandler to twoFactorAuthenticationAction, explicitly introducing attempt tracking and protection checks. The pre-patch absence of these checks in this authentication flow directly matches the CWE-307 description. The UserController.php changes (CSRF removal) are unrelated to the core brute force vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Pim*or* ***or* *.*.* l**ks *rut* *or** prot**tion *or t** *** tok*n.

Reasoning

T** *riti**l vuln*r**ility st*ms *rom missin* *rut* *or** prot**tion in t** *** v*ri*i**tion *n*point. T** *ommit ******* ***s *rut**or**Prot**tion**n*l*r to two***tor*ut**nti**tion**tion, *xpli*itly intro*u*in* *tt*mpt tr**kin* *n* prot**tion ****ks