Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
References
Link | Resource |
---|---|
https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch | Patch Vendor Advisory |
https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc | Exploit Patch Vendor Advisory |
Configurations
History
05 Dec 2023, 18:14
Type | Values Removed | Values Added |
---|---|---|
First Time |
Pimcore pimcore
Pimcore |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CPE | cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:* | |
References | () https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc - Exploit, Patch, Vendor Advisory | |
References | () https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch - Patch, Vendor Advisory |
30 Nov 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-30 06:15
Updated : 2023-12-10 15:26
NVD link : CVE-2023-49076
Mitre link : CVE-2023-49076
CVE.ORG link : CVE-2023-49076
JSON object : View
Products Affected
pimcore
- pimcore
CWE
CWE-352
Cross-Site Request Forgery (CSRF)