Homepage
About Snyk

Information Exposure Affecting pimcore/pimcore package, versions <10.6.4

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-PIMCOREPIMCORE-5803011
  • published 23 Jul 2023
  • disclosed 21 Jul 2023
  • credit Dalibor Karlović
Report a new vulnerability Found a mistake?

Introduced: 21 Jul 2023

CVE-2023-3819 Open this link in a new tab
CWE-200 Open this link in a new tab

How to fix?

Upgrade pimcore/pimcore to version 10.6.4 or higher.

Overview

pimcore/pimcore is a content & product management framework (CMS/PIM/E-Commerce).

Affected versions of this package are vulnerable to Information Exposure which allows unauthorized users to obtain sensitive information about the system's runtime environment, features they have no permission to access, etc.

PoC

  1. Create a new user without any permissions attached

  2. Do not assign any permissions to the user

  3. Do not add any locations to the user's workspace

  4. Do not add it to any roles, etc

  5. Log in as the said user

UI will be almost completely empty, but still several fetch requests in console are providing information the user shouldn't have access to.

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    Low
  • Availability (A)
    Low
Expand this section

NVD

6.5 medium