Moderate severityNVD Advisory· Published Jul 10, 2023· Updated Oct 30, 2024

Improper Authorization in pimcore/customer-data-framework

CVE-2023-3574

Description

Missing permission check in Pimcore Customer Data Framework prior to 3.4.1 allows unauthorized users to access and modify customer rules.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing permission check in Pimcore Customer Data Framework prior to 3.4.1 allows unauthorized users to access and modify customer rules.

CVE-2023-3574 is an improper authorization vulnerability in the Pimcore Customer Data Framework (CMF) community bundle prior to version 3.4.1. The root cause is a missing permission check in the RulesController admin endpoint [1][3]. The controller did not verify that the authenticated user possessed the plugin_cmf_perm_customer_automation_rules permission before allowing access to action trigger rules [3].

An attacker with a valid session but without the required permission can exploit this by directly calling the /rules endpoints [3]. The attack requires authentication but no special privileges, making it a privilege escalation vector. No additional network position is needed if the attacker already has authenticated access [2].

A successful exploit allows an unauthorized user to view, create, or modify customer automation rules. This could lead to unauthorized changes to customer segmentation, personalization, and marketing automation logic, potentially exposing sensitive customer data or disrupting business-critical workflows [1][4].

The vulnerability was fixed in commit f15668c8, which adds a permission check via the onKernelControllerEvent method [3][4]. Users are advised to upgrade to version 3.4.1 or later. Note that the community repository has been archived and is end-of-life; ongoing support is available only through the Pimcore Enterprise Edition [1].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/customer-management-framework-bundlePackagist	< 3.4.1	3.4.1

Affected products

ghsa-coords
pkg:composer/pimcore/customer-management-framework-bundle
Range: < 3.4.1
pimcore/pimcore/customer-data-frameworkv5
Range: unspecified

Patches

f15668c86db2

[Bug]: Add missing permission check on Rules controller (#483)

https://github.com/pimcore/customer-data-frameworkJiaJia JiJul 4, 2023via ghsa

commit

2 files changed · +16 −10

src/Controller/Admin/RulesController.php+9 −1 modified

@@ -15,14 +15,22 @@
 
 namespace CustomerManagementFrameworkBundle\Controller\Admin;
 
+use Pimcore\Bundle\AdminBundle\Controller\AdminController;
+use Pimcore\Controller\KernelControllerEventInterface;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 use Symfony\Component\Routing\Annotation\Route;
 
 /**
  * @Route("/rules")
  */
-class RulesController extends \Pimcore\Bundle\AdminBundle\Controller\AdminController
+class RulesController extends AdminController implements KernelControllerEventInterface
 {
+    public function onKernelControllerEvent(ControllerEvent $event)
+    {
+        $this->checkPermission('plugin_cmf_perm_customer_automation_rules');
+    }
+
     /**
      * get saved action trigger rules
      *

src/Targeting/SegmentTracker.php+7 −9 modified

@@ -175,17 +175,15 @@ public function getFilteredAssignments(VisitorInfo $visitorInfo, array $allowedS
 
         //order segments by count, pick $limitSegmentCountPerGroup top segments
         foreach ($segmentCollection as $group => $groupCollection) {
-            if (!empty($groupCollection)) {
-                usort($groupCollection, function ($left, $right) {
-                    if ($left['count'] === $right['count']) {
-                        return 0;
-                    }
+            usort($groupCollection, function ($left, $right) {
+                if ($left['count'] === $right['count']) {
+                    return 0;
+                }
 
-                    return ($left['count'] < $right['count']) ? 1 : -1;
-                });
+                return ($left['count'] < $right['count']) ? 1 : -1;
+            });
 
-                $segmentCollection[$group] = array_slice($groupCollection, 0, $limitSegmentCountPerGroup);
-            }
+            $segmentCollection[$group] = array_slice($groupCollection, 0, $limitSegmentCountPerGroup);
         }
 
         return $segmentCollection;

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000