7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
39.5%
An administrator user can use the inheritable segments feature to execute his own blind SQL queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch
Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.
https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/
CPE | Name | Operator | Version |
---|---|---|---|
pimcore/customer-management-framework-bundle | lt | 3.3.10 |
github.com/advisories/GHSA-25fx-3c2q-cq46
github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe
github.com/pimcore/customer-data-framework/security/advisories/GHSA-25fx-3c2q-cq46
huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44
nvd.nist.gov/vuln/detail/CVE-2023-2756