Storing Passwords in a Recoverable Format Affecting pimcore/customer-management-framework-bundle package, versions <3.3.10


0.0
medium

Snyk CVSS

    Attack Complexity Low
    Privileges Required High
    Confidentiality High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.05% (16th percentile)
Expand this section
NVD
4.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-PIMCORECUSTOMERMANAGEMENTFRAMEWORKBUNDLE-5602336
  • published 25 May 2023
  • disclosed 25 May 2023
  • credit Pankaj Kumar Thakur

How to fix?

Upgrade pimcore/customer-management-framework-bundle to version 3.3.10 or higher.

Overview

pimcore/customer-management-framework-bundle is a Customer Management Framework for management of customer data within Pimcore.

Affected versions of this package are vulnerable to Storing Passwords in a Recoverable Format due to missing checks in the getDetailviewData function.

PoC

Vulnerable endpoint:

https://demo.pimcore.fun/admin/customermanagementframework/customers/detail?id=1016&filter[operator-customer]=AND&filter[operator-segments]=AND&filter[showSegments][0]=832&filter[showSegments][1]=833&filter[showSegments][2]=874&filterDefinition[id]=1