CVE-2024-21665

Name of the Vulnerable Software and Affected Versions Pimcore Ecommerce Framework Bundle versions prior to 1.0.10

Description The issue allows an authenticated and unauthorized user to access the back-office orders list and query over the information returned due to a lack of enforced access control and permissions. This can be achieved by accessing the admin/ecommerceframework/admin-order/list endpoint, which does not seem to validate user permissions. As a result, an unauthorized user can access back-office orders without proper authorization.

Recommendations For versions prior to 1.0.10, update to version 1.0.10 to resolve the issue. As a temporary workaround, consider restricting access to the admin/ecommerceframework/admin-order/list endpoint until the update is applied. Additionally, review and ensure that all users have appropriate permissions and access controls in place to prevent unauthorized access to sensitive data.