GitHub Advisory DatabaseGHSA-25FX-3C2Q-CQ46pimcore/customer-management-framework-bundle has SQL Injection vulnerability in Segment Assignment query
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.5%
Impact
An administrator user can use the inheritable segments feature to execute his own blind SQL queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.
References
https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| pimcore/customer-management-framework-bundle | lt | 3.3.10 |
References
github.com/advisories/GHSA-25fx-3c2q-cq46
github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe
github.com/pimcore/customer-data-framework/security/advisories/GHSA-25fx-3c2q-cq46
huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44
nvd.nist.gov/vuln/detail/CVE-2023-2756
Related
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.5%