Lucene search

GoogleOSV:CVE-2023-32075

HistoryMay 11, 2023 - 5:15 p.m.

CVE-2023-32075

2023-05-1117:15:09

Google

osv.dev

cve-2023-32075

customer management framework

pimcore

business logic errors

conditions tab

counter value

patch

workaround

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

36.2%

JSON

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In pimcore/customer-management-framework-bundle prior to version 3.3.9, business logic errors are possible in the Conditions tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.

References

github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch

github.com/pimcore/customer-data-framework/releases/tag/v3.3.9

github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj

huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

36.2%

JSON

Related for OSV:CVE-2023-32075