all user password hash is disclosed in pimcore/customer-data-framework

Valid

Reported on

May 2nd 2023

Proof of Concept

https://demo.pimcore.fun/admin/customermanagementframework/customers/detail?id=1016&filter[operator-customer]=AND&filter[operator-segments]=AND&filter[showSegments][0]=832&filter[showSegments][1]=833&filter[showSegments][2]=874&filterDefinition[id]=1

able to enum password of id=1016, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat

Impact

Account takeover

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 7 months ago

We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 7 months ago

Bernhard Rusch

commented 7 months ago

Unfortunately this was reported to the wrong repository, https://github.com/pimcore/customer-data-framework would be the right one, maybe @admin can move it.

Ben Harvie

commented 7 months ago

Admin

Repository updated:)

A pimcore/customer-data-framework maintainer has acknowledged this report 7 months ago

Divesh Pahuja validated this vulnerability 7 months ago

Pankaj Kumar Thakur has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Pankaj Kumar Thakur Pankaj

commented 7 months ago

Researcher

Dear Concern,

is this finding eligible for CVE ?

Thank you.

Divesh Pahuja

commented 7 months ago

yes, we'll close the issue and assign CVE when the fix version 3.3.10 is released soon. thanks!

Divesh Pahuja

commented 7 months ago

Hi @haxpunk1337, I have noticed that we need to update the affected version here to 3.3.9 as the issue was fixed in version 3.3.10. Could you please update it? and then we can close this issue. thanks!

Pankaj Kumar Thakur Pankaj

commented 7 months ago

Researcher

Dear concern ,

i was unable to update here, maybe @admin can fix it.

Thank you

Ben Harvie

commented 6 months ago

Admin

On it:)

Divesh Pahuja marked this as fixed in 3.3.10 with commit d1d58c 6 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Divesh Pahuja published this vulnerability 6 months ago

to join this conversation

We are processing your report and will contact the pimcore/customer-data-framework team within 24 hours. 7 months ago

We have contacted a member of the pimcore/customer-data-framework team and are waiting to hear back 7 months ago

Bernhard Rusch

commented 7 months ago

Unfortunately this was reported to the wrong repository, https://github.com/pimcore/customer-data-framework would be the right one, maybe @admin can move it.

Ben Harvie

commented 7 months ago

Admin

Repository updated:)

A pimcore/customer-data-framework maintainer has acknowledged this report 7 months ago

Divesh Pahuja validated this vulnerability 7 months ago

Pankaj Kumar Thakur has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Pankaj Kumar Thakur Pankaj

commented 7 months ago

Researcher