CVE-2023-49076
Pimcore missing token/header to prevent CSRF
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.
El framework de datos del cliente permite la gestión de los datos del cliente dentro de Pimcore. No hay tokens ni encabezados para evitar que se produzcan ataques CSRF, por lo que un atacante podría aprovechar esta vulnerabilidad para crear nuevos clientes. Este problema se solucionó en la versión 4.0.5.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-11-21 CVE Reserved
- 2023-11-30 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc | 2024-08-02 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch | 2023-12-05 |
| URL | Date | SRC |
|---|