Lucene search

GitHub_MCVELIST:CVE-2023-49076

HistoryNov 30, 2023 - 5:42 a.m.

CVE-2023-49076 Pimcore missing token/header to prevent CSRF

2023-11-3005:42:12

CWE-352

GitHub_M

www.cve.org

cve-2023-49076

pimcore

csrf

customer-data-framework

version 4.0.5

vulnerability

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.1%

JSON

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "customer-data-framework",
    "versions": [
      {
        "version": "< 4.0.5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch

github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

20.1%

JSON

Related for CVELIST:CVE-2023-49076