GHSA-25fx-3c2q-cq46

Source
https://github.com/advisories/GHSA-25fx-3c2q-cq46
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-25fx-3c2q-cq46/GHSA-25fx-3c2q-cq46.json
Aliases
Published
2023-05-17T15:48:04Z
Modified
2024-02-16T07:56:20.493475Z
Summary
pimcore/customer-management-framework-bundle has SQL Injection vulnerability in Segment Assignment query
Details

Impact

An administrator user can use the inheritable segments feature to execute his own blind SQL queries.

A user with administrator privileges can run any SQL query on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

Patches

Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch

Workarounds

Apply https://github.com/pimcore/customer-data-framework/commit/76df151737b7964ce5169fdf9e27a0ad801757fe.patch manually.

References

https://huntr.dev/bounties/cf398528-819f-456e-88e7-c06d268d3f44/

References

Affected packages

Packagist / pimcore/customer-management-framework-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
3.3.10

Affected versions

1.*

1.0.0
1.0.1
1.3.17

v1.*

v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.2.5
v1.2.6
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.3.5
v1.3.6
v1.3.7
v1.3.8
v1.3.9
v1.3.10
v1.3.11
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.18
v1.3.19
v1.3.20
v1.3.21
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.8
v1.4.9
v1.4.10
v1.4.11
v1.4.12
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.8.0
v1.9.0
v1.9.1
v1.10.0
v1.10.1
v1.11.0
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4

v2.*

v2.0.0
v2.0.1
v2.1.0
v2.2.0
v2.2.1
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.6
v2.4.7
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2

2.*

2.4.5
2.5.1

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.1.1
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.14
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9