CVE-2021-31867

Name of the Vulnerable Software and Affected Versions Pimcore Customer Data Framework versions 3.0.0 and earlier

Description The issue is related to a Boolean-based blind SQL injection in the $id parameter of the SegmentAssignmentController.php component. This allows a remote attacker to disclose protected information by exploiting the lack of protection of the SQL query structure.

Recommendations For Pimcore Customer Data Framework versions 3.0.0 and earlier, update to version 3.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the SegmentAssignmentController.php component until a patch is available. Avoid using the $id parameter in the affected component until the issue is resolved.