CVE-2024-11956 Information

Description

A vulnerability which was classified as critical has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Reference

https://github.com/pimcore/customer-data-framework/releases/tag/v4.2.1 https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277 https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277 https://vuldb.com/?ctiid.293906 https://vuldb.com/?id.293906 https://vuldb.com/?submit.451863

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

4.7