Vulnerabilites related to pimcore - customer-data-framework
Vulnerability from fkie_nvd
Published
2023-05-25 09:15
Modified
2024-11-21 07:59
Severity ?
Summary
Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
pimcore | customer-data-framework | * |
{ "configurations": [ { "nodes": [ { "cpeMatch": [ { "criteria": "cpe:2.3:a:pimcore:customer-data-framework:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF09594A-1AB6-48B9-B217-935B045A57C3", "versionEndExcluding": "3.3.10", "vulnerable": true } ], "negate": false, "operator": "OR" } ] } ], "cveTags": [], "descriptions": [ { "lang": "en", "value": "Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10." } ], "id": "CVE-2023-2881", "lastModified": "2024-11-21T07:59:29.220", "metrics": { "cvssMetricV30": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "version": "3.0" }, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "security@huntr.dev", "type": "Secondary" } ], "cvssMetricV31": [ { "cvssData": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary" } ] }, "published": "2023-05-25T09:15:11.943", "references": [ { "source": "security@huntr.dev", "tags": [ "Patch" ], "url": "https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6" }, { "source": "security@huntr.dev", "tags": [ "Third Party Advisory" ], "url": "https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ], "url": "https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6" }, { "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Third Party Advisory" ], "url": "https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416" } ], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [ { "description": [ { "lang": "en", "value": "CWE-257" } ], "source": "security@huntr.dev", "type": "Secondary" }, { "description": [ { "lang": "en", "value": "CWE-522" } ], "source": "nvd@nist.gov", "type": "Primary" } ] }
CVE-2023-32075 (GCVE-0-2023-32075)
Vulnerability from cvelistv5
Published
2023-05-11 16:39
Modified
2025-01-24 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.
References
► | URL | Tags |
---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pimcore | customer-data-framework |
Version: < 3.3.9 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T15:03:29.082Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch" }, { "name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9" }, { "name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/" } ], "title": "CVE Program Container" }, { "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" } }, { "other": { "content": { "id": "CVE-2023-32075", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-24T16:34:23.576604Z", "version": "2.0.3" }, "type": "ssvc" } } ], "problemTypes": [ { "descriptions": [ { "description": "CWE-noinfo Not enough information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-24T16:38:09.717Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "customer-data-framework", "vendor": "pimcore", "versions": [ { "status": "affected", "version": "\u003c 3.3.9" } ] } ], "descriptions": [ { "lang": "en", "value": "The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-11T16:39:37.634Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch" }, { "name": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9" }, { "name": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/", "tags": [ "x_refsource_MISC" ], "url": "https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/" } ], "source": { "advisory": "GHSA-x99j-r8vv-gwwj", "discovery": "UNKNOWN" }, "title": "Pimcore vulnerable to Business Logic Errors in Customer automation rules" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-32075", "datePublished": "2023-05-11T16:39:37.634Z", "dateReserved": "2023-05-01T16:47:35.315Z", "dateUpdated": "2025-01-24T16:38:09.717Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-21666 (GCVE-0-2024-21666)
Vulnerability from cvelistv5
Published
2024-01-11 00:45
Modified
2025-06-03 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pimcore | customer-data-framework |
Version: < 4.0.6 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T22:27:35.774Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6" }, { "name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-21666", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-05-08T20:11:57.371055Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-03T14:25:35.995Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "customer-data-framework", "vendor": "pimcore", "versions": [ { "status": "affected", "version": "\u003c 4.0.6" } ] } ], "descriptions": [ { "lang": "en", "value": "The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-11T00:45:44.520Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6" }, { "name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43" } ], "source": { "advisory": "GHSA-c38c-c8mh-vq68", "discovery": "UNKNOWN" }, "title": "Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-21666", "datePublished": "2024-01-11T00:45:44.520Z", "dateReserved": "2023-12-29T16:10:20.368Z", "dateUpdated": "2025-06-03T14:25:35.995Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2023-2881 (GCVE-0-2023-2881)
Vulnerability from cvelistv5
Published
2023-05-25 00:00
Modified
2025-01-16 15:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-257 - Storing Passwords in a Recoverable Format
Summary
Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pimcore | pimcore/customer-data-framework |
Version: unspecified < 3.3.10 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T06:41:03.433Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416" }, { "tags": [ "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-2881", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-16T15:15:00.446850Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-01-16T15:15:04.522Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "pimcore/customer-data-framework", "vendor": "pimcore", "versions": [ { "lessThan": "3.3.10", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10." } ], "metrics": [ { "cvssV3_0": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:H", "version": "3.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-257", "description": "CWE-257 Storing Passwords in a Recoverable Format", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-25T00:00:00", "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev" }, "references": [ { "url": "https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416" }, { "url": "https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6" } ], "source": { "advisory": "db6c32f4-742e-4262-8fd5-cefd0f133416", "discovery": "EXTERNAL" }, "title": "Storing Passwords in a Recoverable Format in pimcore/customer-data-framework" } }, "cveMetadata": { "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "cveId": "CVE-2023-2881", "datePublished": "2023-05-25T00:00:00", "dateReserved": "2023-05-25T00:00:00", "dateUpdated": "2025-01-16T15:15:04.522Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-11956 (GCVE-0-2024-11956)
Vulnerability from cvelistv5
Published
2025-01-28 13:46
Modified
2025-01-28 14:14
Severity ?
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
4.7 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
4.7 (Medium) - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
VLAI Severity ?
EPSS score ?
Summary
A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.
References
► | URL | Tags | |||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
Pimcore | customer-data-framework |
Version: 4.0 Version: 4.1 Version: 4.2 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2024-11956", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-01-28T14:13:58.096948Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-01-28T14:14:01.837Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "references": [ { "tags": [ "exploit" ], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277" } ], "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "customer-data-framework", "vendor": "Pimcore", "versions": [ { "status": "affected", "version": "4.0" }, { "status": "affected", "version": "4.1" }, { "status": "affected", "version": "4.2" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component." }, { "lang": "de", "value": "Eine kritische Schwachstelle wurde in Pimcore customer-data-framework bis 4.2.0 entdeckt. Es geht hierbei um eine nicht n\u00e4her spezifizierte Funktion der Datei /admin/customermanagementframework/customers/list. Durch Manipulieren des Arguments filterDefinition/filter mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung. Ein Aktualisieren auf die Version 4.2.1 vermag dieses Problem zu l\u00f6sen. Als bestm\u00f6gliche Massnahme wird das Einspielen eines Upgrades empfohlen." } ], "metrics": [ { "cvssV4_0": { "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0" } }, { "cvssV3_1": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } }, { "cvssV3_0": { "baseScore": 4.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0" } }, { "cvssV2_0": { "baseScore": 5.8, "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "version": "2.0" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-89", "description": "SQL Injection", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-74", "description": "Injection", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-01-28T13:46:27.639Z", "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB" }, "references": [ { "name": "VDB-293906 | Pimcore customer-data-framework list sql injection", "tags": [ "vdb-entry", "technical-description" ], "url": "https://vuldb.com/?id.293906" }, { "name": "VDB-293906 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": [ "signature", "permissions-required" ], "url": "https://vuldb.com/?ctiid.293906" }, { "name": "Submit #451863 | Pimcore 11.4.2 SQL Injection", "tags": [ "third-party-advisory" ], "url": "https://vuldb.com/?submit.451863" }, { "tags": [ "exploit" ], "url": "https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277" }, { "tags": [ "patch" ], "url": "https://github.com/pimcore/customer-data-framework/releases/tag/v4.2.1" } ], "timeline": [ { "lang": "en", "time": "2025-01-28T00:00:00.000Z", "value": "Advisory disclosed" }, { "lang": "en", "time": "2025-01-28T01:00:00.000Z", "value": "VulDB entry created" }, { "lang": "en", "time": "2025-01-28T14:51:15.000Z", "value": "VulDB entry last update" } ], "title": "Pimcore customer-data-framework list sql injection" } }, "cveMetadata": { "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "assignerShortName": "VulDB", "cveId": "CVE-2024-11956", "datePublished": "2025-01-28T13:46:27.639Z", "dateReserved": "2024-11-28T06:54:44.520Z", "dateUpdated": "2025-01-28T14:14:01.837Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2023-49076 (GCVE-0-2023-49076)
Vulnerability from cvelistv5
Published
2023-11-30 05:42
Modified
2025-06-05 13:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
References
► | URL | Tags |
---|---|---|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pimcore | customer-data-framework |
Version: < 4.0.5 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:46:28.973Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2023-49076", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2025-06-05T13:26:59.665360Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-05T13:27:42.356Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "customer-data-framework", "vendor": "pimcore", "versions": [ { "status": "affected", "version": "\u003c 4.0.5" } ] } ], "descriptions": [ { "lang": "en", "value": "Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-30T05:42:12.668Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch" } ], "source": { "advisory": "GHSA-xx63-4jr8-9ghc", "discovery": "UNKNOWN" }, "title": "Pimcore missing token/header to prevent CSRF" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-49076", "datePublished": "2023-11-30T05:42:12.668Z", "dateReserved": "2023-11-21T18:57:30.427Z", "dateUpdated": "2025-06-05T13:27:42.356Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
CVE-2024-21667 (GCVE-0-2024-21667)
Vulnerability from cvelistv5
Published
2024-01-11 01:05
Modified
2025-06-17 21:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.
References
► | URL | Tags | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
|
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
pimcore | customer-data-framework |
Version: < 4.0.6 |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T22:27:36.094Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77" }, { "name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38" } ], "title": "CVE Program Container" }, { "metrics": [ { "other": { "content": { "id": "CVE-2024-21667", "options": [ { "Exploitation": "poc" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-01-11T19:43:41.741890Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-06-17T21:09:16.182Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "customer-data-framework", "vendor": "pimcore", "versions": [ { "status": "affected", "version": "\u003c 4.0.6" } ] } ], "descriptions": [ { "lang": "en", "value": "pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.\n" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-01-11T01:05:35.979Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4" }, { "name": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77" }, { "name": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38" } ], "source": { "advisory": "GHSA-g273-wppx-82w4", "discovery": "UNKNOWN" }, "title": "Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access GDPR extracts" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-21667", "datePublished": "2024-01-11T01:05:35.979Z", "dateReserved": "2023-12-29T16:10:20.368Z", "dateUpdated": "2025-06-17T21:09:16.182Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }