Skip to content

Improper Access Control allows unprivileged user to access GDPR extracts

Moderate
wisconaut published GHSA-g273-wppx-82w4 Jan 10, 2024

Package

composer pimcore/customer-data-framework (Composer)

Affected versions

<= 4.0.5

Patched versions

4.0.6

Description

Summary

An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure.

Details

Permissions do not seem to be enforced when reaching the /admin/customermanagementframework/gdpr-data/search-data-objects endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :

customer-data-framework/src/Controller/Admin/GDPRDataController.php

Line 38 in b4af625

public function searchDataObjectsAction(Request $request, Customers $service): JsonResponse

PoC

In order to reproduce the issue, the following steps can be followed:

  1. As an administrator :
    a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel
    b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
  2. Log out the current administrator and log in with this new user
  3. Access to the following endpoint https://pimcore_instance/admin/customermanagementframework/gdpr-data/search-data-objects?id=&firstname=&lastname=&email=&page=1&start=0&limit=50 and the results will be returned to this unauthorized user.

Impact

An unauthorized user can access PII data from customers without being authorized to.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2024-21667

Weaknesses