CVE-2024-21666

Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list

CVSS 6.5 MEDIUMEPSS 0.6%CWE-284

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.5EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 jan 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Produtos afetados

pimcore · customer-data-framework

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43 https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6 https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68