CVE-2024-21666

Name of the Vulnerable Software and Affected Versions Pimcore Customer Management Framework versions prior to 4.0.6

Description The issue allows an authenticated and unauthorized user to access the list of potential duplicate users and see their data. This occurs because permissions are not properly enforced when reaching the "/admin/customermanagementframework/duplicates/list" endpoint, allowing an authenticated user without the necessary permissions to access the endpoint and query the available data. As a result, unauthorized users can access personally identifiable information (PII) from customers.

Recommendations For versions prior to 4.0.6, update to version 4.0.6 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/customermanagementframework/duplicates/list" endpoint until the update is applied. Additionally, review and adjust user roles and permissions to ensure that only authorized users have access to sensitive customer data.