4.3
CVE-2024-21665
- EPSS 0.49%
- Veröffentlicht 11.01.2024 01:15:45
- Zuletzt bearbeitet 21.11.2024 08:54:49
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list
ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pimcore ≫ E-commerce Framework Version < 1.0.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.382 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-284 Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
https://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98
https://github.com/pimcore/ecommerce-framework-bundle/commit/05dec000ed009828084d05cf686f468afd1f464e
https://github.com/pimcore/ecommerce-framework-bundle/releases/tag/v1.0.10
https://github.com/pimcore/ecommerce-framework-bundle/security/advisories/GHSA-cx99-25hr-5jxf