6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21666

GHSA ID

GHSA-c38c-c8mh-vq68

EPSS Score

0.00202%

CWE

CWE-284

Published

1/10/2024

Updated

1/11/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-21666

CVE-2024-21666: Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list

Summary

An authenticated and unauthorized user can access the list of potential duplicate users and see their data.

Details

Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/duplicates/list endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place : https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43

PoC

In order to reproduce the issue, the following steps can be followed :

As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
Log out the current administrator and log in with this new user
Access to the following endpoint https://pimcore_instance/admin/customermanagementframework/duplicates/list and the results will be returned to this unauthorized user

Impact

An unauthorized user can access PII data from customers without being authorized to.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-21666

GHSA ID

GHSA-c38c-c8mh-vq68

EPSS Score

0.00202%

CWE

CWE-284

Published

1/10/2024

Updated

1/11/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pimcore/customer-management-framework-bundle	composer	< 4.0.6	4.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing access control in the DuplicatesController's listAction method handling the /admin/customermanagementframework/duplicates/list endpoint. The proof-of-concept demonstrates unauthorized access, and the patch adds a permission check (checkPermission('plugin_cmf_perm_customerview')) via a new onKernelControllerEvent method. This indicates the original listAction method executed without verifying user permissions, making it the vulnerable function. The direct correlation between the missing check in the original code and the security fix confirms this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n *ut**nti**t** *n* un*ut*oriz** us*r **n ****ss t** list o* pot*nti*l *upli**t* us*rs *n* s** t**ir **t*. ### **t*ils P*rmissions *o not s**m to ** *n*or*** w**n r****in* t** `/**min/*ustom*rm*n***m*nt*r*m*work/*upli**t*s/list` *n*poin

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss *ontrol in t** *upli**t*s*ontroll*r's list**tion m*t*o* **n*lin* t** /**min/*ustom*rm*n***m*nt*r*m*work/*upli**t*s/list *n*point. T** proo*-o*-*on**pt **monstr*t*s un*ut*oriz** ****ss, *n* t** p*t** ***s *

6.5

Basic Information

Concerned about an active attack path?

CVE-2024-21666: Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI