Описание
pimcore/customer-management-framework-bundle has SQL Injection vulnerability in Segment Assignment query
Impact
An administrator user can use the inheritable segments feature to execute his own blind SQL queries.
A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.
References
https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/
Ссылки
Пакеты
pimcore/customer-management-framework-bundle
< 3.3.10
3.3.10
Связанные уязвимости
SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.