You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Impact
The customer view exposes the hashed password along with other deails. An attacker is then able to enum password of a particular id, likewise we can replace id with other user , for example 1015, password hash can be disclosed which can be further cracked with hashcat
Patches
Update to version 3.3.10 or apply this patch manually https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch
Workarounds
Apply https://github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6.patch manually.
References
https://huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416/