CVE-2024-11956

Name of the Vulnerable Software and Affected Versions Pimcore customer-data-framework versions 4.2.0 and earlier

Description A critical issue has been found in Pimcore customer-data-framework, affecting some unknown functionality of the file "/admin/customermanagementframework/customers/list". The manipulation of the filterDefinition/filter argument leads to SQL injection. The attack can be launched remotely.

The vulnerability is found in the URL parameters of the following endpoint: GET /admin/customermanagementframework/customers/list?add-new-customer=1&apply-segment-selection=Apply&filterDefinition[allowedRoleIds][]=1&filterDefinition[allowedUserIds][]=2&filterDefinition[id]=0&filterDefinition[name]=RDFYjolf&filterDefinition[readOnly]=on&filterDefinition[shortcutAvailable]=on&filter[active]=1&filter[email]=testing%40example.com&filter[firstname]=RDFYjolf&filter[id]=1&filter[lastname]=RDFYjolf&filter[operator-customer]=AND&filter[operator-segments]=%40%40dz1Uu&filter[search]=the&filter[segments][832][]=847&filter[segments][833][]=835&filter[segments][874][]=876&filter[showSegments][]=832 HTTP/1.1 The parameters filterDefinition and filter are vulnerable to SQL injection. When a specially crafted input is provided, it results in an SQL error, indicating that the input is being directly used in an SQL query without proper sanitization.

Recommendations Pimcore customer-data-framework versions 4.2.0 and earlier: Upgrade to version 4.2.1 to address the issue.