Cyber Resilience

CVE-2023-2756

HighPublic PoC

Published: 17 May 2023

Published
17 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 13.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2756 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Customer Management Framework. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-2756 is a SQL injection vulnerability, tracked as CWE-89, that affects the pimcore/customer-data-framework GitHub repository in versions prior to 3.3.10. The flaw carries a CVSS 3.1 score of 7.2 with a vector indicating network attack reachability, low complexity, and high privileges required.

An authenticated user with administrative privileges can supply crafted input over the network to execute arbitrary SQL commands, resulting in full compromise of confidentiality, integrity, and availability within the affected customer-data framework component. The issue was disclosed through a huntr.dev bounty and addressed via a specific code change in the repository.

Mitigation guidance centers on applying the patch referenced in the GitHub commit 76df151737b7964ce5169fdf9e27a0ad801757fe, which updates the package to version 3.3.10 or later.

EPSS for the CVE rose materially from a low baseline to a peak of 0.0697 before receding to its current value of 0.0004.

EU & UK References

Vulnerability details

SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

pimcore
customer management framework
≤ 3.3.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References