CVE-2024-23648: 
PHP vulnerability analysis and mitigation

A host header injection vulnerability (CVE-2024-23648) was discovered in Pimcore's admin-ui-classic-bundle affecting versions prior to 1.2.3. The vulnerability exists in the password reset functionality where the system generates a password reset URL using the HTTP Host header without proper validation. The issue was disclosed on January 24, 2024, affecting the password reset mechanism in Pimcore's admin interface (GitHub Advisory).

The vulnerability stems from the password reset functionality that sends users an email containing a URL with a unique 24-hour valid token for password reset. The critical flaw lies in how the reset-password URL is constructed using the 'Host' HTTP header from the password reset request without proper validation. The vulnerability received a CVSS v3.1 score of 8.8 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue was identified in the src/Controller/Admin/UserController.php file (GitHub Advisory).

The vulnerability could lead to a one-click account takeover. If exploited, an attacker could manipulate the password reset process by specifying a controlled host in the HTTP header, potentially intercepting the reset token when a user clicks the link in the reset email. This would allow the attacker to gain unauthorized access to user accounts and reset their passwords (GitHub Advisory).

The vulnerability has been patched in version 1.2.3 of the admin-ui-classic-bundle. The recommended fix involves creating a server host variable and ensuring the password reset functionality is only enabled when this variable is properly set. The fix was implemented through a commit that addresses the host header injection issue (GitHub Commit).