Vulnerability Description
pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pimcore | Customer Management Framework | < 4.0.6 |
Related Weaknesses (CWE)
References
- https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdfIssue Tracking
- https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7daPatch
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273ExploitVendor Advisory
- https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdfIssue Tracking
- https://github.com/pimcore/customer-data-framework/commit/6c34515be2ba39dceee7daPatch
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-g273ExploitVendor Advisory
FAQ
What is CVE-2024-21667?
CVE-2024-21667 is a vulnerability with a CVSS score of 6.5 (MEDIUM). pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature ...
How severe is CVE-2024-21667?
CVE-2024-21667 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-21667?
Check the references section above for vendor advisories and patch information. Affected products include: Pimcore Customer Management Framework.