Pimcore vulnerable to Business Logic Errors in Customer automation rules
Description
The Pimcore Customer Management Framework bundle prior to 3.3.9 lacked input validation on counter fields, allowing negative values that could cause business logic errors in the Conditions tab.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Pimcore Customer Management Framework bundle prior to 3.3.9 lacked input validation on counter fields, allowing negative values that could cause business logic errors in the Conditions tab.
Vulnerability
The Pimcore Customer Management Framework (CMF) bundle prior to version 3.3.9 contained a business logic flaw in the Conditions tab of its administrative interface [1]. The counter fields used in condition definitions (e.g., "Count Activities", "Count Tracked Segment") lacked proper input validation, allowing negative integer values to be submitted [4].
Exploitation
An attacker with access to the Pimcore backend—specifically the rule configuration interface—could manually enter a negative number in the count field of any of the affected condition types. The patch diff shows that the minValue: 0 constraint was missing from the three numberfield components for CountActivities, CountTrackedSegment, and CountTargetGroupWeight [4]. No authentication bypass or network‑level vector is described; the flaw is a client‑side (UI) validation gap that an authenticated administrator could exploit.
Impact
Accepting a negative counter value corrupts the business logic of the condition, potentially leading to incorrect evaluation of customer segments, personalization rules, or marketing automation triggers [1]. This could allow an attacker to disrupt expected behavior of the CMF, for example by creating conditions that always fail or always succeed due to an invalid count parameter.
Mitigation
The issue has been fixed in version 3.3.9 of the pimcore/customer-management-framework-bundle [3]. Users should update to that release or apply the provided patch manually [4]. Note that the open‑source repository is now archived and the bundle has moved to the Pimcore Enterprise Edition; however, the patch remains available for all versions prior to 3.3.9 [2].
- NVD - CVE-2023-32075
- GitHub - pimcore/customer-data-framework: Customer Data Framework community bundle adds capability for management of customer data to Pimcore.
- Release 3.3.9 · pimcore/customer-data-framework
- https://github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patch
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/customer-management-framework-bundlePackagist | < 3.3.9 | 3.3.9 |
Affected products
2- pimcore/customer-data-frameworkv5Range: < 3.3.9
Patches
1e3f333391582Restrict negative value (#466)
1 file changed · +6 −3
src/Resources/public/js/config/conditions.js+6 −3 modified@@ -221,7 +221,8 @@ pimcore.plugin.cmf.rule.conditions.CountActivities = Class.create(pimcore.plugin xtype: "numberfield", name: "count", width: 90, - value: this.options.count + value: this.options.count, + minValue: 0 } ] } @@ -452,7 +453,8 @@ pimcore.plugin.cmf.rule.conditions.CountTrackedSegment = Class.create(pimcore.pl //xtype: "numberfield", name: "count", width: 90, - value: this.options.count + value: this.options.count, + minValue: 0 }); return [ @@ -531,7 +533,8 @@ pimcore.plugin.cmf.rule.conditions.CountTargetGroupWeight = Class.create(pimcore xtype: "numberfield", name: "count", width: 90, - value: this.options.count + value: this.options.count, + minValue: 0 } ] },
Vulnerability mechanics
Root cause
"Missing input validation on number fields allows for negative values, leading to business logic errors."
Attack vector
An attacker can exploit this by interacting with the Conditions tab in the Customer Management Framework. By providing a negative number in the count fields, the application processes invalid business logic [patch_id=24350]. This allows for the manipulation of counter values that should logically remain non-negative.
Affected code
The vulnerability exists in `src/Resources/public/js/config/conditions.js` within the `CountActivities`, `CountTrackedSegment`, and `CountTargetGroupWeight` classes. These components define the user interface for the Conditions tab in the Customer Management Framework [patch_id=24350].
What the fix does
The patch updates `src/Resources/public/js/config/conditions.js` by adding `minValue: 0` to the `numberfield` configuration for `CountActivities`, `CountTrackedSegment`, and `CountTargetGroupWeight` [patch_id=24350]. This forces the UI to reject negative values, ensuring the counter remains within a valid range. This prevents the business logic errors associated with negative counter values.
Preconditions
- inputThe user must have access to the Conditions tab within the Customer Management Framework.
Generated on May 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-x99j-r8vv-gwwjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32075ghsaADVISORY
- github.com/pimcore/customer-data-framework/commit/e3f333391582d9309115e6b94e875367d0ea7163.patchghsax_refsource_MISCWEB
- github.com/pimcore/customer-data-framework/releases/tag/v3.3.9ghsax_refsource_MISCWEB
- github.com/pimcore/customer-data-framework/security/advisories/GHSA-x99j-r8vv-gwwjghsax_refsource_CONFIRMWEB
- huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248aghsaWEB
- huntr.dev/bounties/cecd7800-a996-4f3a-8689-e1c2a1e0248a/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.