CVE-2024-11956
Published: 28 January 2025
Description
A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.
Security Summary
CVE-2024-11956 is a SQL injection vulnerability (classified as critical, associated with CWE-74 and CWE-89) in Pimcore customer-data-framework versions up to 4.2.0. The issue affects unknown functionality in the file /admin/customermanagementframework/customers/list, where manipulation of the filterDefinition/filter argument triggers the injection.
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). Attackers with sufficient access can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), corresponding to a CVSS v3.1 base score of 4.7 in an unchanged scope (S:U).
Advisories from Pimcore and VulDB recommend upgrading to version 4.2.1, which addresses the issue, as detailed in the GitHub release notes and security advisory (GHSA-q53r-9hh9-w277).
The exploit has been disclosed publicly and may be used, with the CVE published on 2025-01-28.
Details
- CWE(s)