CVE-2024-21667

MEDIUM

Pimcore Customer Management Framework - Improper Access Control

Title source: rule

Description

pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.

References (3)

Core 3

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273-wppx-82w4

Patch x_refsource_misc

https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7da07a1abf246309ccd77

View Patch ZIP pw:eip

Issue Tracking x_refsource_misc

https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/GDPRDataController.php#L38

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 2.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (2)

pimcore/customer-management-framework-bundle 0 - 4.0.6Packagist

pimcore/customer_management_framework < 4.0.6

Published Jan 11, 2024

Tracked Since Feb 18, 2026