Skip to main content

CVE-2024-21666: CWE-284: Improper Access Control in pimcore customer-data-framework

Medium
VulnerabilityCVE-2024-21666cvecve-2024-21666cwe-284
Published: Thu Jan 11 2024 (01/11/2024, 00:45:44 UTC)
Source: CVE Database V5
Vendor/Project: pimcore
Product: customer-data-framework

Description

The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6.

AI-Powered Analysis

AILast updated: 07/03/2025, 22:56:20 UTC

Technical Analysis

CVE-2024-21666 is a medium-severity vulnerability affecting the Customer Management Framework (CMF) component of Pimcore's customer-data-framework product, specifically versions prior to 4.0.6. The vulnerability arises from improper access control (CWE-284) in the handling of the endpoint `/admin/customermanagementframework/duplicates/list`. This endpoint is designed to provide a list of potential duplicate users to authorized personnel for customer data management purposes. However, due to insufficient permission enforcement, any authenticated user—even those without explicit permissions—can access this endpoint and retrieve sensitive Personally Identifiable Information (PII) of customers. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have some level of authentication (PR:L), but no UI interaction is needed (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. This flaw allows unauthorized disclosure of sensitive customer data, which could lead to privacy violations, regulatory non-compliance, and potential reputational damage. The vendor has addressed this issue in version 4.0.6 by properly enforcing permissions on the affected endpoint. No known exploits are currently reported in the wild, but the presence of PII exposure makes this a significant concern for organizations using vulnerable versions of the product.

Potential Impact

For European organizations, the exposure of customer PII due to this vulnerability poses serious risks, especially under strict data protection regulations such as the EU's General Data Protection Regulation (GDPR). Unauthorized access to customer data can lead to regulatory fines, legal liabilities, and loss of customer trust. Organizations relying on Pimcore's customer-data-framework for marketing automation and customer segmentation are particularly at risk, as attackers could harvest sensitive data to conduct identity theft, phishing campaigns, or other targeted attacks. The breach of confidentiality could also impact business partnerships and contractual obligations related to data privacy. Since the vulnerability requires authentication, the risk is heightened if internal user accounts are compromised or if an insider threat exploits the flaw. The lack of impact on integrity and availability limits the scope to data leakage, but the sensitivity of the data involved elevates the overall risk profile for affected European entities.

Mitigation Recommendations

European organizations should immediately verify their Pimcore customer-data-framework version and upgrade to version 4.0.6 or later where the vulnerability is patched. Beyond patching, organizations should audit user roles and permissions to ensure that only authorized personnel have access to sensitive customer data endpoints. Implementing strict access controls and monitoring access logs for unusual activity on the `/admin/customermanagementframework/duplicates/list` endpoint can help detect exploitation attempts. Additionally, enforcing multi-factor authentication (MFA) for all users with access to the Pimcore admin interface can reduce the risk of credential compromise. Organizations should also conduct regular security assessments and penetration testing focused on access control mechanisms within their customer data management systems. Finally, reviewing and updating incident response plans to address potential data breaches involving PII is recommended to ensure timely and compliant responses.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2023-12-29T16:10:20.368Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 683f0a31182aa0cae27f6f2b

Added to database: 6/3/2025, 2:44:01 PM

Last enriched: 7/3/2025, 10:56:20 PM

Last updated: 8/12/2025, 1:02:43 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats