GoogleOSV:GHSA-X99J-R8VV-GWWJPimcore vulnerable to Business Logic Errors via Customer automation rules
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
36.2%
Impact
Business Logic Errors in the Conditions tab since the counter can be a negative number.
This vulnerability is capable of the unlogic in the counter value in the Conditions tab.
Patches
Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch manually.
References
https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/
References
github.com/pimcore/customer-data-framework
github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch
github.com/pimcore/customer-data-framework/releases/tag/v3.3.9
github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj
huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a
nvd.nist.gov/vuln/detail/CVE-2023-32075
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS
Percentile
36.2%