Pimcore customer-data-framework list sql injection
Description
An unauthenticated SQL injection vulnerability in the Pimcore customer data framework allows remote attackers to execute arbitrary SQL commands via the filterDefinition/filter parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated SQL injection vulnerability in the Pimcore customer data framework allows remote attackers to execute arbitrary SQL commands via the filterDefinition/filter parameters.
Vulnerability
Overview
CVE-2024-11956 is a critical SQL injection vulnerability in the Pimcore customer-data-framework, affecting versions up to and including 4.2.0. The issue resides in the /admin/customermanagementframework/customers/list endpoint, where the filterDefinition and filter parameters are directly incorporated into an SQL query without proper sanitization [1][3]. This allows an attacker to manipulate these parameters to inject arbitrary SQL commands.
Attack
Vector and Exploitation
The vulnerability can be exploited remotely by any authenticated user [3]. A proof-of-concept URL has been published, demonstrating that specially crafted input in the filterDefinition and filter parameters can trigger an SQL error, confirming the injection point. The exploitation requires only standard HTTP GET requests with malicious payloads in the query string, making it straightforward to execute [3].
Impact
Successful exploitation enables an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive customer data, modification or deletion of records, and potentially full control over the server [3]. Given the nature of the affected component, customer data integrity and confidentiality are at severe risk.
Mitigation and
Status
The vendor has released version 4.2.1 of the customer-data-framework, which addresses the vulnerability [1][4]. Users are strongly advised to upgrade immediately. No workarounds are provided, and the exploit has been publicly disclosed, increasing the likelihood of active attacks.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pimcore/customer-management-framework-bundlePackagist | < 4.2.1 | 4.2.1 |
Affected products
2- Pimcore/customer-data-frameworkv5Range: 4.0
Patches
18da6d00cff03Apply php-cs-fixer changes
1 file changed · +1 −1
src/CustomerList/Filter/CustomerSegment.php+1 −1 modified@@ -19,7 +19,6 @@ use CustomerManagementFrameworkBundle\Listing\Filter\OnCreateQueryFilterInterface; use CustomerManagementFrameworkBundle\Service\MariaDb; use Doctrine\DBAL\ArrayParameterType; -use Doctrine\DBAL\Connection; use Doctrine\DBAL\ParameterType; use Doctrine\DBAL\Query\QueryBuilder; use Exception; @@ -192,6 +191,7 @@ protected function applyAndQuery(CoreListing\Concrete $listing, QueryBuilder $qu * * @param string $joinName * @param int|array $conditionValue + * * @throws Exception */ protected function addJoin(
Vulnerability mechanics
Root cause
"Missing input sanitization in the filter parameter processing allows SQL injection via Hibernate dynamic query building."
Attack vector
An attacker sends a crafted HTTP request to the `/admin/customermanagementframework/customers/list` endpoint, supplying malicious SQL in the `filterDefinition/filter` parameter. The application uses Hibernate to build a dynamic SQL statement from this user-controlled input without proper sanitization [CWE-564]. The attack is remotely exploitable over the network with no authentication requirements specified in the advisory. The public exploit disclosure indicates that the payload is injected into the filter conditions processed by the `CustomerSegment` filter class.
Affected code
The vulnerability resides in the file `/admin/customermanagementframework/customers/list` within the Pimcore customer-data-framework. The patch modifies `src/CustomerList/Filter/CustomerSegment.php`, specifically the `applyAndQuery` and `addJoin` methods, which handle filter conditions for customer listing queries. The manipulation of the `filterDefinition/filter` argument allows an attacker to inject SQL through the filter parameters processed by these methods.
What the fix does
The patch in commit `8da6d00cff036ee5ec6f5595e8b99a704e9ee12c` removes the unused `use Doctrine\DBAL\Connection;` import and adds a missing `@throws Exception` annotation to the `addJoin` method. However, the diff shown does not reveal the actual SQL injection fix — the commit message only states "Apply php-cs-fixer changes," suggesting the substantive security fix may be in a different commit or the patch bundle is incomplete. The advisory recommends upgrading to version 4.2.1 to fully address the issue.
Preconditions
- networkAttacker must be able to send HTTP requests to the /admin/customermanagementframework/customers/list endpoint
- inputThe filterDefinition/filter parameter must be accepted and processed by the application
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/pimcore/customer-data-framework/releases/tag/v4.2.1ghsapatchWEB
- github.com/pimcore/pimcore/security/advisories/GHSA-q53r-9hh9-w277ghsaexploitWEB
- github.com/advisories/GHSA-q53r-9hh9-w277ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-11956ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.