VYPR
← All advisories
High severityNVD Advisory· Published May 17, 2023· Updated Jan 22, 2025

SQL Injection in pimcore/customer-data-framework

CVE-2023-2756

Description

An SQL injection vulnerability in Pimcore Customer Data Framework prior to 3.3.10 allows unauthenticated attackers to execute arbitrary SQL queries.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An SQL injection vulnerability in Pimcore Customer Data Framework prior to 3.3.10 allows unauthenticated attackers to execute arbitrary SQL queries.

Root

Cause

The vulnerability resides in the inheritableSegments method of the Customer Data Framework (CDF) bundle for Pimcore [1]. Prior to version 3.3.10, the method directly concatenated user-supplied type and id parameters into a SQL query without proper sanitization or parameterization. Specifically, the query construction used sprintf to insert the type value into table name and column name positions, and the id value into the WHERE clause [4]. This allowed an attacker to inject arbitrary SQL syntax by providing crafted input for these parameters.

Attack

Vector

An attacker can exploit this vulnerability by sending a request to the endpoint that invokes inheritableSegments with malicious values for the type or id parameters [3]. No authentication is required to reach this endpoint, as it is exposed to unauthenticated users. The lack of input validation means that the attacker can break out of the intended query structure and inject additional SQL commands. For example, setting type to a value containing a single quote or SQL keyword would alter the query's logic.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL statements against the underlying database [1]. This can lead to unauthorized reading, modification, or deletion of data. In the context of the Customer Data Framework, this includes sensitive customer information, segmentation data, and potentially system-level data if the database user has elevated privileges. The attack could result in complete compromise of data confidentiality and integrity.

Mitigation

The issue was patched in CDF version 3.3.10, released on 2023-04-26 [3]. The fix, implemented in commit [4], replaced the vulnerable string interpolation with proper use of prepared statements and quoted identifiers. However, note that the open-source community version of the bundle has been archived and is EOL; users are encouraged to migrate to the enterprise edition for continued support [2]. For those unable to upgrade immediately, applying input validation and using parameterized queries can serve as temporary mitigations.

References
  1. NVD - CVE-2023-2756
  2. GitHub - pimcore/customer-data-framework: Customer Data Framework community bundle adds capability for management of customer data to Pimcore.
  3. SQL Injection in Segment Assignment query
  4. [Bug]: Fix Inheritable Segment query (#460) · pimcore/customer-data-framework@76df151

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pimcore/customer-management-framework-bundlePackagist
< 3.3.103.3.10

Affected products

2

Patches

1
76df151737b7

[Bug]: Fix Inheritable Segment query (#460)

https://github.com/pimcore/customer-data-frameworkJiaJia JiMay 16, 2023via ghsa
commit
1 file changed · +8 3
  • src/Controller/Admin/SegmentAssignmentController.php+8 3 modified
    @@ -50,12 +50,17 @@ public static function getSubscribedServices()
      */
     public function inheritableSegments(Request $request, SegmentManagerInterface $segmentManager)
     {
-        $id = $request->get('id') ?? '';
-        $type = $request->get('type') ?? '';
+        $id = $request->get('id');
+        $type = $request->get('type');
+        if (!$type || !$id) {
+            return $this->adminJson(['data' => []]);
+        }
 
         $db = \Pimcore\Db::get();
-        $parentIdStatement = sprintf('SELECT `%s` FROM `%s` WHERE `%s` = :value', $type === 'object' ? 'o_parentId' : 'parentId', $type.'s', $type === 'object' ? 'o_id' : 'id');
+        $parentIdStatement = sprintf('SELECT :parentIdField FROM %s WHERE :idField = :value', $db->quoteIdentifier($type . 's'));
         $parentId = $db->fetchOne($parentIdStatement, [
+            'parentIdField' => $type === 'object' ? 'o_parentId' : 'parentId',
+            'idField' => $type === 'object' ? 'o_id' : 'id',
             'value' => $id
         ]);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.