Pimcore Customer Data Framework passwords stored recoverable before 3.3.10: CVE-2023-2881 May 2023

Pimcore Customer Data Framework passwords stored recoverable before 3.3.10
CVE-2023-2881 Published on May 25, 2023

Storing Passwords in a Recoverable Format in pimcore/customer-data-framework
Storing Passwords in a Recoverable Format in GitHub repository pimcore/customer-data-framework prior to 3.3.10.

Weakness Type

Storing Passwords in a Recoverable Format

The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.

Products Associated with CVE-2023-2881

Want to know whenever a new CVE is published for Pimcore Customer Data Framework? stack.watch will email you.

Affected Versions

Version unspecified and below 3.3.10 is affected.

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-2881

Package Manager	Vulnerable Package	Versions	Fixed In
composer	pimcore/customer-management-framework-bundle	< 3.3.10	3.3.10

Package Manager

Vulnerable Package

Versions

Fixed In

composer

pimcore/customer-management-framework-bundle

< 3.3.10

3.3.10

Exploit Probability

EPSS

0.00%

Percentile

0.02%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.