CVE-2024-21667

Name of the Vulnerable Software and Affected Versions pimcore/customer-data-framework versions prior to 4.0.6

Description An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the "/admin/customermanagementframework/gdpr-data/search-data-objects" endpoint, allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers.

Recommendations For versions prior to 4.0.6, update to version 4.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/admin/customermanagementframework/gdpr-data/search-data-objects" endpoint until the update is applied. Additionally, review and enforce proper permissions for all users to prevent unauthorized access to customer data.