7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-11956

GHSA ID

GHSA-q53r-9hh9-w277

EPSS Score

0.00095%

CWE

CWE-564

Published

1/28/2025

Updated

1/28/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-11956

CVE-2024-11956: pimcore/customer-data-framework vulnerable to SQL Injection

An SQL injection vulnerability allows any authenticated user to execute arbitrary SQL commands on the server. This can lead to unauthorized access to sensitive data, data modification, or even complete control over the server.

Details The vulnerability is found in the URL parameters of the following endpoint:

GET /admin/customermanagementframework/customers/list?add-new-customer=1&apply-segment-selection=Apply&filterDefinition[allowedRoleIds][]=1&filterDefinition[allowedUserIds][]=2&filterDefinition[id]=0&filterDefinition[name]=RDFYjolf&filterDefinition[readOnly]=on&filterDefinition[shortcutAvailable]=on&filter[active]=1&filter[email]=testing%40example.com&filter[firstname]=RDFYjolf&filter[id]=1&filter[lastname]=RDFYjolf&filter[operator-customer]=AND&filter[operator-segments]=%40%40dz1Uu&filter[search]=the&filter[segments][832][]=847&filter[segments][833][]=835&filter[segments][874][]=876&filter[showSegments][]=832 HTTP/1.1

The parameters filterDefinition and filter are vulnerable to SQL injection. When a specially crafted input is provided, it results in an SQL error, indicating that the input is being directly used in an SQL query without proper sanitization.

PoC To reproduce the vulnerability, follow these steps:

Open a web browser or a tool like curl or Postman. Authenticate with valid user credentials. Navigate to the following URL with the vulnerable parameters:

https://demo.pimcore.fun/admin/customermanagementframework/customers/list?add-new-customer=1&apply-segment-selection=Apply&filterDefinition[allowedRoleIds][]=1&filterDefinition[allowedUserIds][]=2&filterDefinition[id]=0&filterDefinition[name]=RDFYjolf&filterDefinition[readOnly]=on&filterDefinition[shortcutAvailable]=on&filter[active]=1&filter[email]=testing%40example.com&filter[firstname]=RDFYjolf&filter[id]=1&filter[lastname]=RDFYjolf&filter[operator-customer]=AND&filter[operator-segments]=%40%40dz1Uu&filter[search]=the&filter[segments][832][]=847&filter[segments][833][]=835&filter[segments][874][]=876&filter[showSegments][]=832
Observe the error message indicating an SQL error:
Error while building customer list: An exception occurred while executing a query: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '@_0 ON `fltr_seg_832_0_@_0`.fieldname IN ('manualSegments','calculatedSegment...' at line 1

Impact This is an SQL injection vulnerability. It impacts any authenticated user who can access the affected endpoint. An attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to data breaches, data loss, or full server compromise.

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-11956

GHSA ID

GHSA-q53r-9hh9-w277

EPSS Score

0.00095%

CWE

CWE-564

Published

1/28/2025

Updated

1/28/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/customer-management-framework-bundle	composer	< 4.2.1	4.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in SQL query construction through user-controlled 'filter' and 'filterDefinition' parameters. The error message shows raw user input ('@_0') in JOIN clauses, indicating unsafe string interpolation. The patch (commit #549) explicitly mentions 'Use parameters for joins', confirming that pre-4.2.1 versions concatenated user input into SQL. The Controller endpoint handles these parameters, while CustomerSegmentManager and SqlService are logical locations for query building with segments/filters. High confidence comes from the direct correlation between the exploit's SQL error patterns and the patched parameterization approach.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n SQL inj**tion vuln*r**ility *llows *ny *ut**nti**t** us*r to *x**ut* *r*itr*ry SQL *omm*n*s on t** s*rv*r. T*is **n l*** to un*ut*oriz** ****ss to s*nsitiv* **t*, **t* mo*i*i**tion, or *v*n *ompl*t* *ontrol ov*r t** s*rv*r. **t*ils T** vuln*r**il

Reasoning

T** vuln*r**ility m*ni**sts in SQL qu*ry *onstru*tion t*rou** us*r-*ontroll** '*ilt*r' *n* '*ilt*r***inition' p*r*m*t*rs. T** *rror m*ss*** s*ows r*w us*r input ('@_*') in JOIN *l*us*s, in*i**tin* uns*** strin* int*rpol*tion. T** p*t** (*ommit #***)

7.2

Basic Information

Concerned about an active attack path?

CVE-2024-11956: pimcore/customer-data-framework vulnerable to SQL Injection

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI