Skip to main content

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-29197

Severity Medium
Score 6.5/10

Summary

Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident/unreleased information. This issue affects the package pimcore/pimcore versions 11.0.0-ALPHA1 through 11.1.6, and 11.2.0 through 11.2.1.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • REQUIRED
  • NONE
  • HIGH
  • NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

References

Advisory Timeline

  • Published