Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-j65r-g7q2-f8v3

Опубликовано: 25 мая 2023
Источник: github
Github: Прошло ревью
CVSS3: 6.7

Описание

Pimcore customers' list user password hash is disclosed

Impact

The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat

Patches

Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch manually.

References

https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416/

Ссылки

Пакеты

Наименование

pimcore/customer-management-framework-bundle

composer
Затронутые версииВерсия исправления

< 3.3.10

3.3.10

EPSS

Процентиль: 0%
0.00001
Низкий

6.7 Medium

CVSS3

CVE ID

CVE-2023-2881

Дефекты

CWE-257
CWE-522

Связанные уязвимости

nvd логотип

CVE-2023-2881

CVSS3: 4.9
nvd
больше 2 лет назад

Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

EPSS

Процентиль: 0%
0.00001
Низкий

6.7 Medium

CVSS3

CVE ID

CVE-2023-2881

Дефекты

CWE-257
CWE-522