CVE-2024-21666

MEDIUM

Pimcore Customer Management Framework - Improper Access Control

Title source: rule

Description

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

References (3)

Core 3

Core References

Exploit, Patch, Vendor Advisory x_refsource_confirm

https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68

Patch x_refsource_misc

https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6

View Patch ZIP pw:eip

Issue Tracking x_refsource_misc

https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 0.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

pimcore/customer-management-framework-bundle 0 - 4.0.6Packagist

pimcore/customer_management_framework < 4.0.6

Published Jan 11, 2024

Tracked Since Feb 18, 2026