CVE-2024-21665: 
PHP vulnerability analysis and mitigation

CVE-2024-21665 is a security vulnerability discovered in Pimcore Ecommerce Framework Bundle affecting versions up to 1.0.10. The vulnerability was disclosed on January 10, 2024, and allows an authenticated but unauthorized user to access the back-office orders list and query information without proper permissions (GitHub Advisory).

The vulnerability stems from improper access control implementation in the AdminOrderController.php file. The issue occurs specifically at the listAction endpoint where permissions are not being properly enforced. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (GitHub Advisory).

When exploited, the vulnerability allows unauthorized users to access and query the back-office orders list, potentially exposing sensitive order information. This represents a breach of access control and could lead to unauthorized access to business-critical data (GitHub Advisory).

The vulnerability has been patched in version 1.0.10 of the Pimcore Ecommerce Framework Bundle. Users are advised to upgrade to this version or later to address the security issue. The fix implements proper permission checks to prevent unauthorized access (GitHub Release).