CVE-2024-29197

Pimcore Preview Documents are not restricted to logged in users anymore

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1.

Pimcore es una plataforma de gestión de experiencias y datos de código abierto. Cualquier llamada con el argumento de consulta `?pimcore_preview=true` permite ver sitios no publicados. En versiones anteriores de Pimcore, la información de la sesión se propagaba a las vistas previas, por lo que solo un usuario que había iniciado sesión podía abrir una vista previa. Esto ya no se aplica. Las vistas previas están abiertas a cualquier usuario y con sólo un indicio de un enlace restringido se puede obtener acceso a posible información confidencial o inédita. Esta vulnerabilidad se solucionó en 11.2.2 y 11.1.6.1.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-18 CVE Reserved
2024-03-26 CVE Published
2024-03-27 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (2)

URL	Tag	Source
https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53	X_refsource_misc
https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Pimcore Search vendor "Pimcore"		Pimcore Search vendor "Pimcore" for product "Pimcore"				>= 11.0.0.0 < 11.1.6.1 Search vendor "Pimcore" for product "Pimcore" and version " >= 11.0.0.0 < 11.1.6.1"		en		Affected
Pimcore Search vendor "Pimcore"		Pimcore Search vendor "Pimcore" for product "Pimcore"				>= 11.2.0 < 11.2.2 Search vendor "Pimcore" for product "Pimcore" and version " >= 11.2.0 < 11.2.2"		en		Affected