CVE-2023-2756
Published: 17 May 2023
Summary
CVE-2023-2756 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Customer Management Framework. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2756 is a SQL injection vulnerability, tracked as CWE-89, that affects the pimcore/customer-data-framework GitHub repository in versions prior to 3.3.10. The flaw carries a CVSS 3.1 score of 7.2 with a vector indicating network attack reachability, low complexity, and high privileges required.
An authenticated user with administrative privileges can supply crafted input over the network to execute arbitrary SQL commands, resulting in full compromise of confidentiality, integrity, and availability within the affected customer-data framework component. The issue was disclosed through a huntr.dev bounty and addressed via a specific code change in the repository.
Mitigation guidance centers on applying the patch referenced in the GitHub commit 76df151737b7964ce5169fdf9e27a0ad801757fe, which updates the package to version 3.3.10 or later.
EPSS for the CVE rose materially from a low baseline to a peak of 0.0697 before receding to its current value of 0.0004.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1441
Vulnerability details
SQL Injection in GitHub repository pimcore/customer-data-framework prior to 3.3.10.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.