After Navigating to the Customers section of Pimcore application.
GET /admin/customermanagementframework/customers/new HTTP/1.1
Host: demo.pimcore.fun
Cookie: PHPSESSID=7a4c4ceddbbb3809dab7852fa60713c6; _pc_vis=ce525cb79e817973; _pc_ses=1695307137653
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
As you can see, there isn't any token or header to prevent CSRF attacks from occuring, therefore an attacker could abuse this vulnerability to create new customers !
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 26
X-Header: <value>
{"success":true,"id":1191}
Impact: Creating new customer on behalf of the admin which affects admin's integrity !
Impact
After Navigating to the Customers section of Pimcore application.
Upon clicking on New Customer the following HTTP GET request will be submitted:
As you can see, there isn't any token or header to prevent CSRF attacks from occuring, therefore an attacker could abuse this vulnerability to create new customers !
Proof of Concept
A successful HTTP response will be received:
Impact: Creating new customer on behalf of the admin which affects admin's integrity !
Patches
Apply https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch manually.
Workarounds
Update to version 4.0.5 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/ef7414415cfa64189b8433eff0aa2a9b537a89f7.patch