Miggo Logo

CVE-2024-21666: Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.00202%
Published
1/10/2024
Updated
1/11/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pimcore/customer-management-framework-bundlecomposer< 4.0.64.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing access control in the DuplicatesController's listAction method handling the /admin/customermanagementframework/duplicates/list endpoint. The proof-of-concept demonstrates unauthorized access, and the patch adds a permission check (checkPermission('plugin_cmf_perm_customerview')) via a new onKernelControllerEvent method. This indicates the original listAction method executed without verifying user permissions, making it the vulnerable function. The direct correlation between the missing check in the original code and the security fix confirms this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n *ut**nti**t** *n* un*ut*oriz** us*r **n ****ss t** list o* pot*nti*l *upli**t* us*rs *n* s** t**ir **t*. ### **t*ils P*rmissions *o not s**m to ** *n*or*** w**n r****in* t** `/**min/*ustom*rm*n***m*nt*r*m*work/*upli**t*s/list` *n*poin

Reasoning

T** vuln*r**ility st*ms *rom missin* ****ss *ontrol in t** *upli**t*s*ontroll*r's list**tion m*t*o* **n*lin* t** /**min/*ustom*rm*n***m*nt*r*m*work/*upli**t*s/list *n*point. T** proo*-o*-*on**pt **monstr*t*s un*ut*oriz** ****ss, *n* t** p*t** ***s *