Pimcore before 6.2.2 allow attackers to brute-force (guess) valid usernames by using the 'forgot password' functionality as it returns distinct messages for invalid password and non-existing users.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| pimcore/pimcore(Packagist) | 0 | 6.2.2 | N/A |
CVSS Metrics
