Pimcore's Admin Classic Bundle is Missing Function Level Authorization on "Predefined Properties" Listing

Pimcore's Admin Classic Bundle provides a Backend UI for Pimcore. Prior to 2.2.3 and 1.7.16, the API endpoint for listing Predefined Properties in the Pimcore platform lacks adequate server-side authorization checks. Predefined Properties are configurable metadata definitions (e.g., name, key, type, default value) used across documents, assets, and objects to standardize custom attributes and improve editorial workflows, as documented in Pimcore's official properties guide. Testing confirmed that an authenticated backend user without explicit permissions for property management could successfully call the endpoint and retrieve the complete list of these configurations. The vulnerability is fixed in 2.2.3 and 1.7.16.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

访问控制不恰当

Pimcore 访问控制错误漏洞

Pimcore是奥地利Pimcore公司的一套开源的用于创建和管理Web应用程序的Web内容管理平台。该平台集成了Web内容管理、电子商务框架和产品信息管理等应用。 Pimcore存在访问控制错误漏洞，该漏洞源于API端点缺少服务器端授权检查，可能导致预定义属性配置泄露。

N/A

N/A