all user password hash is disclosed in pimcore/customer-data-framework


Reported on

May 2nd 2023

Proof of Concept

login to admin account and then visit[operator-customer]=AND&filter[operator-segments]=AND&filter[showSegments][0]=832&filter[showSegments][1]=833&filter[showSegments][2]=874&filterDefinition[id]=1

able to enum password of id=1016, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat


Account takeover

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 23 days ago
We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 22 days ago
Bernhard Rusch
21 days ago

Unfortunately this was reported to the wrong repository, would be the right one, maybe @admin can move it.

Ben Harvie
11 days ago


Repository updated:)

pimcore/customer-data-framework maintainer has acknowledged this report 11 days ago
Divesh Pahuja validated this vulnerability 10 days ago
Pankaj Kumar Thakur has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
10 days ago


Dear Concern,

is this finding eligible for CVE ?

Thank you.

Divesh Pahuja
9 days ago

yes, we'll close the issue and assign CVE when the fix version 3.3.10 is released soon. thanks!

Divesh Pahuja
9 days ago

Hi @haxpunk1337, I have noticed that we need to update the affected version here to 3.3.9 as the issue was fixed in version 3.3.10. Could you please update it? and then we can close this issue. thanks!

8 days ago


Dear concern ,

i was unable to update here, maybe @admin can fix it.

Thank you

Ben Harvie
3 days ago


On it:)

Divesh Pahuja marked this as fixed in 3.3.10 with commit d1d58c 12 hours ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Divesh Pahuja published this vulnerability 12 hours ago
to join this conversation