9 matches found
CVE-2023-4145
CVE-2023-4145 is a stored XSS vulnerability in pimcore/customer-data-framework present in versions prior to 3.4.2. The issue stems from cross-site scripting in the Customer Data Framework that could be triggered via HTML injection in emails, potentially allowing an attacker to influence a victim’...
CVE-2023-32075
Summary of CVE-2023-32075: The Pimcore CMF’s customer-management-framework-bundle is affected in versions before 3.3.9. A business-logic flaw in the Conditions tab allows the counter value to become negative, leading to unlogic in the UI/logic. The issue is fixed in version 3.3.9; patch guidance ...
CVE-2021-31867
CVE-2021-31867 affects Pimcore Customer Data Framework (CDF) v3.0.0 and earlier. The issue is a Boolean-based blind SQL injection in the SegmentAssignmentController.php, where the request parameter id is interpolated into a SQL query, enabling data exposure through crafted requests. The vulnerabi...
CVE-2023-3574
CVE-2023-3574 : The issue affects pimcore/customer-data-framework prior to 3.4.1, where improper authorization checks allow an unauthorized actor to access resources or perform actions. The Red Hat/Veracode/GHSA entries corroborate the same vulnerability description. A patch is available: upgrade...
CVE-2023-2881
Summary: CVE-2023-2881 affects pimcore/customer-data-framework prior to version 3.3.10, where passwords were stored in a recoverable format. The issue stems from how password hashes are handled in the customer data views, enabling potential disclosure of password hashes. Affected component: pimco...
CVE-2023-2756
CVE-2023-2756 is a SQL injection vulnerability in Pimcore’s customer-data-framework prior to version 3.3.10. The issue affects the Pimcore product/component and is rooted in insecure handling of SQL queries within the segment/authorization logic, allowing an administrator-like user to execute arb...
CVE-2024-21667
The CVE-2024-21667 issue affects Pimcore's customer-data-framework. An authenticated user lacking proper permissions can access the GDPR data extraction endpoint at /admin/customermanagementframework/gdpr-data/search-data-objects and query the results, exposing PII. Root cause: access control not...
CVE-2024-21666
PIMCORE CVE-2024-21666 affects the Pimcore Customer Management Framework (CMF). The issue is an improper access control in the DuplicatesController that allows an authenticated user without required permissions—and in practice, unauthorized users as well—to access the duplicates list endpoint at ...
CVE-2023-2629
The CVE-2023-2629 entry describes a CSV Injection vulnerability in pimcore/customer-data-framework (GitHub repo) prior to version 3.3.9. The root cause is Improper Neutralization/Escaping of formula elements in CSV exports, notably in fields like Firstname, Lastname, Street, Zip, and City, which ...