Vulnerability Description
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pimcore | Pimcore | < 4.0.5 |
Related Weaknesses (CWE)
References
- https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433PatchVendor Advisory
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63ExploitPatchVendor Advisory
- https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433PatchVendor Advisory
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63ExploitPatchVendor Advisory
FAQ
What is CVE-2023-49076?
CVE-2023-49076 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability t...
How severe is CVE-2023-49076?
CVE-2023-49076 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-49076?
Check the references section above for vendor advisories and patch information. Affected products include: Pimcore Pimcore.