Storing Passwords in a Recoverable Format in pimcore/customer-data-framework
Description
Passwords stored in recoverable format in Pimcore Customer Data Framework prior to 3.3.10 expose user credentials to attackers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Passwords stored in recoverable format in Pimcore Customer Data Framework prior to 3.3.10 expose user credentials to attackers.
Vulnerability
Overview The CVE-2023-2881 vulnerability in the Pimcore Customer Data Framework (CDF) arises from storing passwords in a recoverable format[1][2]. Specifically, the customer detail view disclosed the password hash for users, as noted in the advisory[4]. The fix commit (d1d58c1) removes the password field from the customer details view, preventing its exposure[3]. The root cause is that the password field was marked as visible in the detail view configuration, contrary to security best practices.
Exploitation
Prerequisites An attacker with authenticated access to the Pimcore backend, specifically with permissions to view customer detail data, could exploit this vulnerability. The exposed password hash could be retrieved through the normal UI or API endpoints that render customer data. No special network position or elevated privileges beyond standard backend access are required, as the password hash was part of the default view data for customers[4].
Impact
An attacker who obtains the password hash can attempt offline brute-force or dictionary attacks to recover the plaintext password. If successful, this could lead to unauthorized access to customer accounts, data breaches, and further compromise of the Pimcore system. The vulnerability is rated with a CVSS severity reflecting the serious confidentiality impact of password exposure[2].
Mitigation and
Remediation The vulnerability is patched in version 3.3.10 of the Customer Data Framework[2][3]. Users are strongly advised to update to this version or later. Note that the affected repository is archived as of April 2026, and the GPL version is End-of-Life (EOL)[1]. For continued support, users should migrate to the Pimcore Enterprise Edition's ee-customer-data-framework or obtain LTS support through the Pimcore support portal[1]. No workaround is available; updating is the only recommended course of action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/customer-management-framework-bundlePackagist | < 3.3.10 | 3.3.10 |
Affected products
2- pimcore/pimcore/customer-data-frameworkv5Range: unspecified
Patches
1d1d58c10313fRemove password field from detals view (#469)
1 file changed · +1 −1
src/CustomerView/DefaultCustomerView.php+1 −1 modified@@ -110,7 +110,7 @@ public function getDetailviewData(CustomerInterface $customer) $vf = $this->viewFormatter; foreach ($definition->getFieldDefinitions() as $fd) { - if ($fd->getInvisible()) { + if ($fd->getInvisible() || $fd->getFieldtype() === 'password') { continue; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j65r-g7q2-f8v3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-2881ghsaADVISORY
- github.com/pimcore/customer-data-framework/commit/d1d58c10313f080737dc1e71fab3beb12488a1e6ghsaWEB
- github.com/pimcore/customer-data-framework/security/advisories/GHSA-j65r-g7q2-f8v3ghsaWEB
- huntr.dev/bounties/db6c32f4-742e-4262-8fd5-cefd0f133416ghsaWEB
News mentions
0No linked articles in our index yet.