CVE-2023-49076: Cross-Site Request Forgery (CSRF)

November 30, 2023 (updated December 5, 2023)

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5.

References

github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch
github.com/pimcore/customer-data-framework/security/advisories/GHSA-xx63-4jr8-9ghc
nvd.nist.gov/vuln/detail/CVE-2023-49076

Code Behaviors & Features

Detect and mitigate CVE-2023-49076 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →