Pimcore customers' list user password hash is disclosed
Moderate severity
GitHub Reviewed
Published
May 25, 2023
in
pimcore/customer-data-framework
•
Updated Nov 5, 2023
Package
Affected versions
< 3.3.10
Patched versions
3.3.10
Description
Published by the National Vulnerability Database
May 25, 2023
Published to the GitHub Advisory Database
May 25, 2023
Reviewed
May 25, 2023
Last updated
Nov 5, 2023
Impact
The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch manually.
References
https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416/
References