CVE-2024-21666: 
PHP vulnerability analysis and mitigation

The Customer Management Framework (CMF) for Pimcore version 4.0.5 and earlier contains an improper access control vulnerability (CVE-2024-21666) that was discovered in January 2024. This vulnerability allows an authenticated but unauthorized user to access the list of potential duplicate users and view their data through the /admin/customermanagementframework/duplicates/list endpoint (GitHub Advisory).

The vulnerability stems from improper access control implementation in the DuplicatesController.php file. Specifically, permissions are not properly enforced when accessing the /admin/customermanagementframework/duplicates/list endpoint, allowing authenticated users without the necessary permissions to query and view customer data. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (NVD, Tenable Research).

The vulnerability allows unauthorized users to access Personally Identifiable Information (PII) of customers stored in the system. Any authenticated user, regardless of their permission level, can view and query the duplicate customers list, potentially exposing sensitive customer data (GitHub Advisory).

The vulnerability has been patched in Pimcore Customer Data Framework version 4.0.6. Users are advised to upgrade to this version or later to address the security issue. The fix implements proper permission checking through the addition of permission verification in the controller's initialization phase (GitHub Patch).