CVE-2023-32075: 
PHP vulnerability analysis and mitigation

The Customer Management Framework (CMF) for Pimcore, which adds functionality for customer data management, contains a vulnerability in versions prior to 3.3.9. The issue exists in the pimcore/customer-management-framework-bundle where business logic errors are possible in the Conditions tab since the counter can be a negative number (GitHub Advisory). The vulnerability was disclosed on May 11, 2023.

The vulnerability stems from improper input validation in the Conditions tab where the counter value could accept negative numbers. This issue affects multiple components including CountActivities, CountTrackedSegment, and CountTargetGroupWeight in the conditions.js file. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows for unlogical counter values in the Conditions tab, which could lead to business logic errors in the customer management system. The impact is primarily on the integrity of the system, with no direct effect on confidentiality or availability (GitHub Advisory).

Users should update to version 3.3.9 of the customer-management-framework-bundle to receive the patch. Alternatively, users can manually apply the patch that restricts negative values in the counter field by implementing the changes from the provided patch file (GitHub Advisory).