logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-21665 pimcore/ecommerce-framework-bundle

Package

Manager: composer
Name: pimcore/ecommerce-framework-bundle
Vulnerable Version: >=0 <1.0.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 6e-05 pctl0.00289

Details

Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list ### Summary An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. ### Details Permissions do not seem to be enforced when reaching the `admin/ecommerceframework/admin-order/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place : <https://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98> __Note__ : Testing this vulnerability requires a fully configured ecommerce website, but it looks vulnerable as when requesting the endpoint the data seem returned (and when looking at the source code nothing seems to validate the permissions on the specified endpoint). ### PoC In order to reproduce the issue, the following steps can be followed : 1. As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created 2. Log out the current administrator and log in with this new user 3. Access to the following endpoint `https://pimcore_instance/admin/ecommerceframework/admin-order/list` and the results will be returned to this unauthorized user ### Impact An unauthorized user can access back-office orders without being authorized to.

Metadata

Created: 2024-01-10T15:14:38Z
Modified: 2024-01-11T15:41:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-cx99-25hr-5jxf/GHSA-cx99-25hr-5jxf.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-cx99-25hr-5jxf
Finding: F039
Auto approve: 1