Lucene search

PRIOn knowledge basePRION:CVE-2024-21666

HistoryJan 11, 2024 - 1:15 a.m.

Code injection

2024-01-1101:15:00

PRIOn knowledge base

www.prio-n.com

code injection

pimcore

customer data management

segmentation

personalization

marketing automation

authenticated user

unauthorized user

permissions enforcement

pii data

patched vulnerability

6.8 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

22.9%

JSON

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the /admin/customermanagementframework/duplicates/list endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

CPENameOperatorVersion
customer_management_frameworklt4.0.6

CPE	Name	Operator	Version
	customer_management_framework	lt	4.0.6

References

github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php

github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6

github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68