Lucene search

GitHub_MCVE-2023-49076

HistoryNov 30, 2023 - 6:15 a.m.

CVE-2023-49076

2023-11-3006:15:46

CWE-352

GitHub_M

web.nvd.nist.gov

customer data

pimcore

csrf protection

vulnerability

patch

cve-2023-49076

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

20.1%

JSON

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

Affected configurations

Nvd

Vulners

Node

pimcorepimcoreRange<4.0.5

VendorProductVersionCPE
pimcorepimcore*cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
pimcore	pimcore	*	cpe:2.3:a:pimcore:pimcore::::::::

CNA Affected

[
  {
    "vendor": "pimcore",
    "product": "customer-data-framework",
    "versions": [
      {
        "version": "< 4.0.5",
        "status": "affected"
      }
    ]
  }
]

References

github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch

github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

20.1%

JSON

Related for CVE-2023-49076