Lucene search

Veracode Vulnerability DatabaseVERACODE:44999

HistoryJan 11, 2024 - 5:15 a.m.

Improper Authorization

2024-01-1105:15:58

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

pimcore

customer management

improper authorization

duplicatescontroller

user data access

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

pimcore/customer-management-framework-bundle is vulnerable to Improper Authorization. The vulnerability is caused due to improper authorization checks within DuplicatesController.php. This allows authenticated and unauthorized user to access the list of potential duplicate users and see their data.

CPENameOperatorVersion
pimcore/customer-management-framework-bundlelev4.0.5
pimcore/customer-management-framework-bundlelev4.0.5

CPE	Name	Operator	Version
	pimcore/customer-management-framework-bundle	le	v4.0.5
	pimcore/customer-management-framework-bundle	le	v4.0.5

References

github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43

github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6

github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for VERACODE:44999