CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
22.7%
pimcore/customer-data-framework is vulnerable to Improper Authorization. The vulnerability is due to insufficient permission enforcement for with the /admin/customermanagementframework/gdpr-data/search-data-objects
endpoint. An authenticated user without permission to access this endpoint can query the available data.
github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38
github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77
github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4