CVE-2024-29197

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-29197
Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53
https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445
https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53
https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445
Configurations

No configuration.

History

21 Nov 2024, 09:07

Type Values Removed Values Added
References () https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 - () https://github.com/pimcore/pimcore/commit/3ae43fb1065f9eb62ad2f542b883858d36d57e53 -
References () https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 - () https://github.com/pimcore/pimcore/security/advisories/GHSA-5737-rqv4-v445 -
Summary
  • (es) Pimcore es una plataforma de gestión de experiencias y datos de código abierto. Cualquier llamada con el argumento de consulta `?pimcore_preview=true` permite ver sitios no publicados. En versiones anteriores de Pimcore, la información de la sesión se propagaba a las vistas previas, por lo que solo un usuario que había iniciado sesión podía abrir una vista previa. Esto ya no se aplica. Las vistas previas están abiertas a cualquier usuario y con sólo un indicio de un enlace restringido se puede obtener acceso a posible información confidencial o inédita. Esta vulnerabilidad se solucionó en 11.2.2 y 11.1.6.1.

26 Mar 2024, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-26 15:15

Updated : 2024-11-21 09:07

NVD link : CVE-2024-29197

Mitre link : CVE-2024-29197

CVE.ORG link : CVE-2024-29197

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024