SQL Injection Vulnerability in Pimcore Customer Data Framework
CVE-2024-11956
Key Information:
- Vendor
Pimcore
- Status
- Vendor
- CVE Published:
- 28 January 2025
Badges
What is CVE-2024-11956?
A vulnerability has been identified in Pimcore's Customer Data Framework affecting versions up to 4.2.0. The issue arises from improper validation of user input in the /admin/customermanagementframework/customers/list functionality, which allows an attacker to manipulate the filterDefinition/filter argument, potentially leading to SQL injection. This can be exploited remotely, posing a significant risk to data integrity and confidentiality. Users are advised to update to version 4.2.1 or later to mitigate this vulnerability, as the exploit has been made public.
Affected Version(s)
customer-data-framework 4.0
customer-data-framework 4.1
customer-data-framework 4.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.