CVE-2023-49075: 
PHP vulnerability analysis and mitigation

CVE-2023-49075 is a security vulnerability in the Admin Classic Bundle, which provides a Backend UI for Pimcore. The vulnerability was introduced in v11 through the AdminBundle\Security\PimcoreUserTwoFactorCondition component, which incorrectly disabled two-factor authentication (2FA) for all non-admin security firewalls. The issue was discovered and patched in version 1.2.2 (GitHub Advisory).

The vulnerability stems from a logic error in the PimcoreUserTwoFactorCondition class where the two-factor authentication check was incorrectly returning false for non-admin firewalls, effectively bypassing the 2FA requirement. The vulnerability has been assigned a CVSSv3 score of 8.4 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, high privileges required, and user interaction needed (GitHub Advisory).

When exploited, this vulnerability allows an authenticated user to access the system without providing the required two-factor authentication credentials, effectively bypassing an important security control for non-admin security firewalls (GitHub Advisory).

Organizations should upgrade to version 1.2.2 or later of the Admin Classic Bundle to address this vulnerability. Alternatively, they can apply the patch manually, which corrects the logic in the PimcoreUserTwoFactorCondition class to properly enforce 2FA for non-admin firewalls (GitHub Advisory, GitHub Patch).