all user password hash is disclosed in pimcore/customer-data-framework
May 2nd 2023
Proof of Concept
login to admin account and then visit
able to enum password of id=1016, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Unfortunately this was reported to the wrong repository, https://github.com/pimcore/customer-data-framework would be the right one, maybe @admin can move it.
is this finding eligible for CVE ?
yes, we'll close the issue and assign CVE when the fix version 3.3.10 is released soon. thanks!
Hi @haxpunk1337, I have noticed that we need to update the affected version here to 3.3.9 as the issue was fixed in version 3.3.10. Could you please update it? and then we can close this issue. thanks!
Dear concern ,
i was unable to update here, maybe @admin can fix it.