Summary
When you have a PortalUserObject that is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password.
But the password is then set without hashing so it can be read by everyone (table: users):
Details
Both files are part of the PortalEngineBundle.
The error is probably in the ChangePasswordService.php on line 37 as the password is used without hashing it.
You can see in UserController.php that password is received via formfield and never hashed.
PoC
Versions:
pimcore/pimcore:11.2.7
pimcore/portal-engine:4.1.6
Create PortalUserObject
Create PimcoreUserObject
Connect PortalUserObject with PimcoreUserObject and set "Use Pimcore Backend Password" to true
Login to Portal and change password via Portal Profile
You receive success message and password for respective PimcoreUser is saved to database without hashing.
Impact
Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings.
BlackbitDevs Reporter
Summary
When you have a PortalUserObject that is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password.
But the password is then set without hashing so it can be read by everyone (table: users):
Details
Both files are part of the PortalEngineBundle.
The error is probably in the ChangePasswordService.php on line 37 as the password is used without hashing it.
You can see in UserController.php that password is received via formfield and never hashed.
PoC
Versions:
pimcore/pimcore:11.2.7
pimcore/portal-engine:4.1.6
Create PortalUserObject
Create PimcoreUserObject
Connect PortalUserObject with PimcoreUserObject and set "Use Pimcore Backend Password" to true
Login to Portal and change password via Portal Profile
You receive success message and password for respective PimcoreUser is saved to database without hashing.
Impact
Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings.