4.3

CVE-2024-21665

Exploit

EPSS 0.01%
Veröffentlicht 11.01.2024 01:15:45
Zuletzt bearbeitet 21.11.2024 08:54:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pimcore ≫ E-commerce Framework Version < 1.0.10

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.003

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98

Issue Tracking

https://github.com/pimcore/ecommerce-framework-bundle/commit/05dec000ed009828084d05cf686f468afd1f464e

Patch

https://github.com/pimcore/ecommerce-framework-bundle/releases/tag/v1.0.10

Release Notes

https://github.com/pimcore/ecommerce-framework-bundle/security/advisories/GHSA-cx99-25hr-5jxf

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-21665

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21665

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21665

EUVD