Wisconaut

**Name of the Vulnerable Software and Affected Versions** Pimcore Ecommerce Framework Bundle versions prior to 1.0.10 **Description** The issue allows an authenticated and unauthorized user to access the back-office orders list and query over the information returned due to a lack of enforced access control and permissions. This can be achieved by accessing the `admin/ecommerceframework/admin-order/list` endpoint, which does not seem to validate user permissions. As a result, an unauthorized user can access back-office orders without proper authorization. **Recommendations** For versions prior to 1.0.10, update to version 1.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the `admin/ecommerceframework/admin-order/list` endpoint until the update is applied. Additionally, review and ensure that all users have appropriate permissions and access controls in place to prevent unauthorized access to sensitive data.

**Name of the Vulnerable Software and Affected Versions** Pimcore Customer Management Framework versions prior to 4.0.6 **Description** The issue allows an authenticated and unauthorized user to access the list of potential duplicate users and see their data. This occurs because permissions are not properly enforced when reaching the "/admin/customermanagementframework/duplicates/list" endpoint, allowing an authenticated user without the necessary permissions to access the endpoint and query the available data. As a result, unauthorized users can access personally identifiable information (PII) from customers. **Recommendations** For versions prior to 4.0.6, update to version 4.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/customermanagementframework/duplicates/list" endpoint until the update is applied. Additionally, review and adjust user roles and permissions to ensure that only authorized users have access to sensitive customer data.

**Name of the Vulnerable Software and Affected Versions** pimcore/customer-data-framework versions prior to 4.0.6 **Description** An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the "/admin/customermanagementframework/gdpr-data/search-data-objects" endpoint, allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. **Recommendations** For versions prior to 4.0.6, update to version 4.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/customermanagementframework/gdpr-data/search-data-objects" endpoint until the update is applied. Additionally, review and enforce proper permissions for all users to prevent unauthorized access to customer data.