Pimcore Customer Management Framework vulnerable to Improper Authorization in Rules Controller
Moderate severity
GitHub Reviewed
Published
Jul 10, 2023
in
pimcore/customer-data-framework
•
Updated Nov 6, 2023
Package
Affected versions
< 3.4.1
Patched versions
3.4.1
Description
Published by the National Vulnerability Database
Jul 10, 2023
Published to the GitHub Advisory Database
Jul 10, 2023
Reviewed
Jul 10, 2023
Last updated
Nov 6, 2023
Impact
The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.
The attacker can view and freely perform actions to add, modify, or delete rules.
Patches
Update to version 3.4.1 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch manually.
References
https://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6/
References