CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
22.7%
An authenticated and unauthorized user can access the list of potential duplicate users and see their data.
Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/duplicates/list
endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :
<https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43>
In order to reproduce the issue, the following steps can be followed :
https://pimcore_instance/admin/customermanagementframework/duplicates/list
and the results will be returned to this unauthorized userAn unauthorized user can access PII data from customers without being authorized to.
github.com/pimcore/customer-data-framework
github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43
github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6
github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68
nvd.nist.gov/vuln/detail/CVE-2024-21666
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
22.7%