GHSA-CX99-25HR-5JXF

Vulnerability from github – Published: 2024-01-10 15:14 – Updated: 2024-01-11 15:41
VLAI?
Summary
Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list
Details

Summary

An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned.

Details

Permissions do not seem to be enforced when reaching the admin/ecommerceframework/admin-order/list endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :

https://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98

Note : Testing this vulnerability requires a fully configured ecommerce website, but it looks vulnerable as when requesting the endpoint the data seem returned (and when looking at the source code nothing seems to validate the permissions on the specified endpoint).

PoC

In order to reproduce the issue, the following steps can be followed :

  1. As an administrator : a. Create a role without any permission through Settings → User & Roles → Roles in the administration panel b. Create an user through Settings → User & Roles → Users and assign it the unprivileged role previously created
  2. Log out the current administrator and log in with this new user
  3. Access to the following endpoint https://pimcore_instance/admin/ecommerceframework/admin-order/list and the results will be returned to this unauthorized user

Impact

An unauthorized user can access back-office orders without being authorized to.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pimcore/ecommerce-framework-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21665"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T15:14:38Z",
    "nvd_published_at": "2024-01-11T01:15:45Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned.\n\n### Details\nPermissions do not seem to be enforced when reaching the `admin/ecommerceframework/admin-order/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. It seems that the access control is not enforced in this place :\n\n\u003chttps://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98\u003e\n\n__Note__ :  Testing this vulnerability requires a fully configured ecommerce website, but it looks vulnerable as when requesting the endpoint the data seem returned (and when looking at the source code nothing seems to validate the permissions on the specified endpoint).\n\n### PoC\nIn order to reproduce the issue, the following steps can be followed :\n\n1.  As an administrator :\n  a. Create a role without any permission through Settings \u2192 User \u0026 Roles \u2192 Roles in the administration panel\n  b. Create an user through Settings \u2192 User \u0026 Roles \u2192 Users and assign it the unprivileged role previously created\n2. Log out the current administrator and log in with this new user\n3. Access to the following endpoint `https://pimcore_instance/admin/ecommerceframework/admin-order/list` and the results will be returned to this unauthorized user\n\n### Impact\nAn unauthorized user can access back-office orders without being authorized to.\n",
  "id": "GHSA-cx99-25hr-5jxf",
  "modified": "2024-01-11T15:41:40Z",
  "published": "2024-01-10T15:14:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/ecommerce-framework-bundle/security/advisories/GHSA-cx99-25hr-5jxf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21665"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/ecommerce-framework-bundle/commit/05dec000ed009828084d05cf686f468afd1f464e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pimcore/ecommerce-framework-bundle"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.php#L98"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pimcore/ecommerce-framework-bundle/releases/tag/v1.0.10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.