Pimcore Customer Data Framework SQL Injection Vulnerability in Customer Management Endpoint
Vulnerability
A critical SQL injection vulnerability has been identified in the Pimcore customer-data-framework versions prior to 4.2.0. The issue arises in the customer management framework's list endpoint, where the filterDefinition and filter parameters can be manipulated to execute arbitrary SQL commands. This vulnerability allows authenticated users to access sensitive data, modify data, or potentially gain complete control over the server.
Impact
Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands, leading to unauthorized data access, data modification, or complete server control.
Reproduction
To reproduce this vulnerability, authenticate with valid user credentials and navigate to the customer management framework's list endpoint. Include vulnerable parameters in the request that manipulate the filterDefinition and filter parameters. After sending the request, observe the response for an SQL error message, which indicates that the input was not properly sanitized and could be exploited for SQL injection.
Remediation
Users are advised to upgrade to Pimcore customer-data-framework version 4.2.1, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.