CVE-2023-32075
MEDIUMpimcore customer_management_framework < 3.3.9 - Business Logic Error via Conditions Tab Counter
Title source: llmDescription
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management. In `pimcore/customer-management-framework-bundle` prior to version 3.3.9, business logic errors are possible in the `Conditions` tab since the counter can be a negative number. This vulnerability is capable of the unlogic in the counter value in the Conditions tab. Users should update to version 3.3.9 to receive a patch or, as a workaround, or apply the patch manually.
References (4)
Core 4
Core References
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwj
Patch x_refsource_misc
https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch
Release Notes x_refsource_misc
https://github.com/pimcore/customer-data-framework/releases/tag/v3.3.9
Exploit, Third Party Advisory x_refsource_misc
https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/
Scores
CVSS v3
4.3
EPSS
0.0076
EPSS Percentile
50.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (2)
pimcore/customer-management-framework-bundle
0 - 3.3.9Packagist
pimcore/customer_management_framework
< 3.3.9
Published
May 11, 2023
Tracked Since
Feb 18, 2026