Lucene search

GitHub_MCVELIST:CVE-2023-32075

HistoryMay 11, 2023 - 4:39 p.m.

CVE-2023-32075 Pimcore vulnerable to Business Logic Errors in Customer automation rules

2023-05-1116:39:37

CWE-20

GitHub_M

www.cve.org

cve-2023-32075

pimcore

business logic errors

customer management framework

conditions tab

patch

vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

36.2%

JSON

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In pimcore/customer-management-framework-bundle prior to version 3.3.9, business logic errors are possible in the Conditions tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "customer-data-framework",
    "versions": [
      {
        "version": "< 3.3.9",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch

github.com/pimcore/customer-data-framework/releases/tag/v3.3.9

github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj

huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

36.2%

JSON

Related for CVELIST:CVE-2023-32075