CVE-2023-49076

Опубликовано: 30 нояб. 2023

Источник: nvd

CVSS3: 4.3

CVSS3: 6.5

EPSS Низкий

Описание

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

Ссылки

https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch
Patch
Vendor Advisory
https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc
Exploit
Patch
Vendor Advisory
https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch
Patch
Vendor Advisory
https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc
Exploit
Patch
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:pimcore:pimcore:*:*:*:*:*:*:*:*

Версия до 4.0.5 (исключая)

EPSS

Процентиль: 0%

0.00006

Низкий

4.3 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-352

EPSS

Процентиль: 0%

0.00006

Низкий

4.3 Medium

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-352