Improper Authorization in "Customer automation rules" function in pimcore/customer-data-framework

Valid

Reported on

May 28th 2023

Description

The product performs authorization checks incorrectly when an unauthorized actor tries to access a resource or perform an actions.

Proof of Concept

The user does not have permission to delete the rule. alt text

Location

GET /admin/customermanagementframework/rules/list
POST /admin/customermanagementframework/rules/add
PUT /admin/customermanagementframework/rules/save
DELETE /admin/customermanagementframework/rules/delete

Image

https://drive.google.com/drive/folders/1bSCkTQtcGhtdzRjKGD3KIA-8Kx3a406u?usp=sharing

Impact

The attacker can view and freely perform actions to add, modify, or delete rules.

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 4 months ago

aqngoc modified the report

4 months ago

aqngoc modified the report

4 months ago

We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 4 months ago

A pimcore/customer-data-framework maintainer has acknowledged this report 4 months ago

Divesh Pahuja

commented 4 months ago

Maintainer

Unfortunately the reported repository is wrong and the correct repo is pimcore/customer-data-framework. @admin can you please resolve it? thanks!

aqngoc

commented 4 months ago

Researcher

@admin could you please help me make the changes? Or should I close the report and submit it again to the correct repository.

Pavlos

commented 3 months ago

Admin

on it :)

aqngoc modified the report

3 months ago

aqngoc

commented 3 months ago

Researcher

Hi @admin @maintainer, any news on this?

Ben Harvie

commented 3 months ago

Admin

Apologies for the wait, the report has now been updated:)

Divesh Pahuja

commented 2 months ago

Maintainer

@admin thanks for your help. we also need to update the affected version to 3.4.0 as there's no 11.0.0 version.

Ben Harvie

commented 2 months ago

Admin

Update has been made as requested:)

Divesh Pahuja

commented 2 months ago

Maintainer

thank you 🙏

Divesh Pahuja validated this vulnerability 2 months ago

aqngoc has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 3.4.1 with commit f15668 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

to join this conversation

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 4 months ago

aqngoc modified the report

4 months ago

aqngoc modified the report

4 months ago

We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 4 months ago

A pimcore/customer-data-framework maintainer has acknowledged this report 4 months ago

Divesh Pahuja

commented 4 months ago

Maintainer

Unfortunately the reported repository is wrong and the correct repo is pimcore/customer-data-framework. @admin can you please resolve it? thanks!

aqngoc

commented 4 months ago

Researcher

@admin could you please help me make the changes? Or should I close the report and submit it again to the correct repository.

Pavlos

commented 3 months ago

Admin

on it :)

aqngoc modified the report

3 months ago

aqngoc

commented 3 months ago

Researcher

Hi @admin @maintainer, any news on this?

Ben Harvie

commented 3 months ago

Admin

Apologies for the wait, the report has now been updated:)

Divesh Pahuja

commented 2 months ago

Maintainer

@admin thanks for your help. we also need to update the affected version to 3.4.0 as there's no 11.0.0 version.

Ben Harvie

commented 2 months ago

Admin

Update has been made as requested:)

Divesh Pahuja

commented 2 months ago

Maintainer

thank you 🙏

Divesh Pahuja validated this vulnerability 2 months ago

aqngoc has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Divesh Pahuja marked this as fixed in 3.4.1 with commit f15668 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 2 months ago

to join this conversation