Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS14OTlqLXI4dnYtZ3d3as4AAzSL

Moderate EPSS: 0.00012% (0.0115 Percentile) EPSS:
Permalink JSON

Pimcore vulnerable to Business Logic Errors via Customer automation rules

Affected Packages Affected Versions Fixed Versions
packagist:pimcore/customer-management-framework-bundle < 3.3.9 3.3.9
2 Dependent packages
14 Dependent repositories
464,920 Downloads total

Affected Version Ranges

All affected versions

1.0.0, 1.0.1, v1.1.0, v1.1.1, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.2.4, v1.2.5, v1.2.6, v1.3.0, v1.3.1, v1.3.2, v1.3.3, v1.3.4, v1.3.5, v1.3.6, v1.3.7, v1.3.8, v1.3.9, v1.3.10, v1.3.11, v1.3.12, v1.3.13, v1.3.14, v1.3.15, v1.3.16, 1.3.17, v1.3.18, v1.3.19, v1.3.20, v1.3.21, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.4.4, v1.4.5, v1.4.6, v1.4.7, v1.4.8, v1.4.9, v1.4.10, v1.4.11, v1.4.12, v1.5.0, v1.5.1, v1.5.2, v1.5.3, v1.5.4, v1.5.5, v1.6.1, v1.6.2, v1.6.3, v1.6.4, v1.6.5, v1.6.6, v1.6.7, v1.7.0, v1.7.1, v1.7.2, v1.7.3, v1.7.4, v1.8.0, v1.9.0, v1.9.1, v1.10.0, v1.10.1, v1.11.0, v1.12.0, v1.12.1, v1.13.0, v1.13.1, v1.14.0, v1.14.1, v1.14.2, v1.14.3, v1.14.4, v2.0.0, v2.0.1, v2.1.0, v2.2.0, v2.2.1, v2.3.0, v2.3.1, v2.3.2, v2.3.3, v2.4.0, v2.4.1, v2.4.2, v2.4.3, v2.4.4, 2.4.5, v2.4.6, v2.4.7, v2.5.0, 2.5.1, v2.5.2, v2.5.3, v2.5.4, v2.5.5, v2.5.6, v2.5.7, v2.6.0, v2.6.1, v2.6.2, v3.0.0, v3.0.1, v3.0.2, v3.0.3, v3.1.0, v3.1.1, v3.2.0, v3.2.1, v3.2.2, v3.2.3, v3.2.4, v3.2.5, v3.2.6, v3.2.7, v3.2.8, v3.2.9, v3.2.10, v3.2.11, v3.2.12, v3.2.13, v3.2.14, v3.3.0, v3.3.1, v3.3.2, v3.3.3, v3.3.4, v3.3.5, v3.3.6, v3.3.7, v3.3.8

All unaffected versions

v3.3.9, v3.3.10, v3.4.0, v3.4.1, v3.4.2, v3.4.3, v3.4.4, v3.4.5, v3.4.6, v4.0.0, v4.0.1, v4.0.2, v4.0.3, v4.0.4, v4.0.5, v4.0.6, v4.0.7, v4.0.8, v4.1.0, v4.1.1, v4.1.2, v4.2.0, v4.2.1, v4.2.2, v4.2.3, v4.2.4

Impact

Business Logic Errors in the Conditions tab since the counter can be a negative number.

This vulnerability is capable of the unlogic in the counter value in the Conditions tab.

Patches

Update to version 3.3.9 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch manually.

References

https://huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/

References:

Identifiers

GHSA-x99j-r8vv-gwwj

CVE-2023-32075

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00012

EPSS Percentile: 0.0115

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/pimcore/customer-data-framework

Date and time

Published

over 2 years ago

Updated

16 days ago

API

JSON