CVE-2023-49076

Published Nov 30, 2023

Last updated a year ago

CVSS medium 6.5

Overview

Description: Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
Source: security-advisories@github.com
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Severity: MEDIUM

Weaknesses

security-advisories@github.com: CWE-352

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9F2FC090-2A95-465C-935D-BDEA3F6F32E7",
            "versionEndExcluding": "4.0.5"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References