Описание
Pimcore Customer Data Framework Improper Access Control allows unprivileged user to access customers duplicates list
Summary
An authenticated and unauthorized user can access the list of potential duplicate users and see their data.
Details
Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/duplicates/list endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :
https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43
PoC
In order to reproduce the issue, the following steps can be followed :
- As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
- Log out the current administrator and log in with this new user
- Access to the following endpoint
https://pimcore_instance/admin/customermanagementframework/duplicates/listand the results will be returned to this unauthorized user
Impact
An unauthorized user can access PII data from customers without being authorized to.
Ссылки
- https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-c38c-c8mh-vq68
- https://nvd.nist.gov/vuln/detail/CVE-2024-21666
- https://github.com/pimcore/customer-data-framework/commit/c33c0048390ef0cf98b801d46a81d0762243baa6
- https://github.com/pimcore/customer-data-framework/blob/b4af625ef327c58d05ef7cdf145fa749d2d4195e/src/Controller/Admin/DuplicatesController.php#L43
Пакеты
pimcore/customer-management-framework-bundle
< 4.0.6
4.0.6
Связанные уязвимости
The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.