CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
18.0%
An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned.
Permissions do not seem to be enforced when reaching the admin/ecommerceframework/admin-order/list
endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :
Note : Testing this vulnerability requires a fully configured ecommerce website, but it looks vulnerable as when requesting the endpoint the data seem returned (and when looking at the source code nothing seems to validate the permissions on the specified endpoint).
In order to reproduce the issue, the following steps can be followed :
https://pimcore_instance/admin/ecommerceframework/admin-order/list
and the results will be returned to this unauthorized userAn unauthorized user can access back-office orders without being authorized to.
github.com/pimcore/ecommerce-framework-bundle
github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98
github.com/pimcore/ecommerce-framework-bundle/commit/05dec000ed009828084d05cf686f468afd1f464e
github.com/pimcore/ecommerce-framework-bundle/releases/tag/v1.0.10
github.com/pimcore/ecommerce-framework-bundle/security/advisories/GHSA-cx99-25hr-5jxf
nvd.nist.gov/vuln/detail/CVE-2024-21665
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
18.0%