Vulnerability Report

CVE-2024-21666

Title: Pimcore Customer Management Framework

Other

Proof Of Concept

No public PoC currently indexed for CVE-2024-21666.

CWE Category CWE-284
Published Date Jan 11, 2024
Modified Date Nov 21, 2024
Exploit Status Not Found
Score 6.5 CVSS v3.1
Exploit Probability (EPSS)
0.00%

Vulnerability Summary

CVE-2024-21666: The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

Impacted Vendors

P
pimcore 1

Reference Links

https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43 https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6 https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68 https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43 https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6 https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68
CVSS v3.1
Source Entity [email protected]
Severity MEDIUM
6.5
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS v3.1
Source Entity [email protected]
Severity MEDIUM
6.5
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2024-21666 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Affected Stack

No specific products linked.