CVE-2024-21666

2024-01-1101:15:45

Google

osv.dev

pimcore

customer management framework

unauthorized access

pii exposure

authentication

permissions

data vulnerability

patch

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the /admin/customermanagementframework/duplicates/list endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

CPENameOperatorVersion
customer-data-frameworkeq3.2.8
customer-data-frameworkeq1.6.6
customer-data-frameworkeq1.14.1
customer-data-frameworkeq1.4.8
customer-data-frameworkeq2.4.4
customer-data-frameworkeq1.6.1
customer-data-frameworkeq1.13.0
customer-data-frameworkeq4.0.0-RC1
customer-data-frameworkeq1.7.0
customer-data-frameworkeq2.5.0

Name	Operator	Version
customer-data-framework	eq	3.2.8
customer-data-framework	eq	1.6.6
customer-data-framework	eq	1.14.1
customer-data-framework	eq	1.4.8
customer-data-framework	eq	2.4.4
customer-data-framework	eq	1.6.1
customer-data-framework	eq	1.13.0
customer-data-framework	eq	4.0.0-RC1
customer-data-framework	eq	1.7.0
customer-data-framework	eq	2.5.0