Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3574: Improper Authorization in "Customer automation rules" function in customer-data-framework

Improper Authorization in GitHub repository pimcore/customer-data-framework prior to 3.4.1.

CVE
Open in Source
#google#git#auth

Description

The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.

Proof of Concept

The user does not have permission to delete the rule.

Location

  • GET /admin/customermanagementframework/rules/list
  • POST /admin/customermanagementframework/rules/add
  • PUT /admin/customermanagementframework/rules/save
  • DELETE /admin/customermanagementframework/rules/delete

Image

https://drive.google.com/drive/folders/1bSCkTQtcGhtdzRjKGD3KIA-8Kx3a406u?usp=sharing

Impact

The attacker can view and freely perform actions to add, modify, or delete rules.

Related news

GHSA-vx35-f379-4q49: Pimcore Customer Management Framework vulnerable to Improper Authorization in Rules Controller

### Impact The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions. The attacker can view and freely perform actions to add, modify, or delete rules. ### Patches Update to version 3.4.1 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch ### Workarounds Apply https://github.com/pimcore/customer-data-framework/commit/f15668c86db254e86ba7ac895bc3cdd1a2a3cc45.patch manually. ### References https://huntr.dev/bounties/1dcb4f01-e668-4aa3-a6a3-838532e500c6/

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE