CVE-2024-11956

MediumPublic PoC

Published: 28 January 2025

Published

28 January 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 4.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0000 0.2th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11956 is a medium-severity Injection (CWE-74) vulnerability in Pimcore Pimcore. Its CVSS base score is 4.7 (Medium).

Operationally, ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of untrusted inputs like the filterDefinition/filter argument to prevent SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by applying the available patch to Pimcore customer-data-framework version 4.2.1.

SC-7 Boundary Protection partial match

prevent

Boundary protection with web application firewalls inspects and blocks remote requests containing SQL injection payloads in the filter parameter.

NVD Description

A vulnerability, which was classified as critical, has been found in Pimcore customer-data-framework up to 4.2.0. Affected by this issue is some unknown functionality of the file /admin/customermanagementframework/customers/list. The manipulation of the argument filterDefinition/filter leads to sql injection. The attack…

may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component.

Deeper analysisAI

CVE-2024-11956 is a SQL injection vulnerability (classified as critical, associated with CWE-74 and CWE-89) in Pimcore customer-data-framework versions up to 4.2.0. The issue affects unknown functionality in the file /admin/customermanagementframework/customers/list, where manipulation of the filterDefinition/filter argument triggers the injection.

The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and no user interaction (UI:N). Attackers with sufficient access can achieve low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), corresponding to a CVSS v3.1 base score of 4.7 in an unchanged scope (S:U).

Advisories from Pimcore and VulDB recommend upgrading to version 4.2.1, which addresses the issue, as detailed in the GitHub release notes and security advisory (GHSA-q53r-9hh9-w277).

The exploit has been disclosed publicly and may be used, with the CVE published on 2025-01-28.

Details

CWE(s): CWE-74 CWE-89

Affected Products

pimcore

≤ 4.2.1

CVEs Like This One

CVE-2026-23492Same product: Pimcore Pimcore

CVE-2025-27617Same product: Pimcore Pimcore

CVE-2026-23493Same product: Pimcore Pimcore

CVE-2024-13092Shared CWE-74, CWE-89

CVE-2026-4844Shared CWE-74, CWE-89

CVE-2025-1379Shared CWE-74, CWE-89

CVE-2025-0698Shared CWE-74, CWE-89

CVE-2026-3149Shared CWE-74, CWE-89

CVE-2025-0946Shared CWE-74, CWE-89

CVE-2026-3790Shared CWE-74, CWE-89

References

https://github.com/pimcore/customer-data-framework/releases/tag/v4.2.1
Release Notes · cna@vuldb.com
https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277
Exploit, Vendor Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.293906
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.293906
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.451863
Third Party Advisory, VDB Entry · cna@vuldb.com
https://github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0