Moderate severityNVD Advisory· Published Jan 11, 2024· Updated Jun 17, 2025

Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list

CVE-2024-21665

Description

An unauthenticated user can access the back-office orders list and query sensitive order information due to missing permission checks in Pimcore Ecommerce Framework Bundle.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unauthenticated user can access the back-office orders list and query sensitive order information due to missing permission checks in Pimcore Ecommerce Framework Bundle.

Root

Cause

CVE-2024-21665 is an authorization bypass vulnerability in the Pimcore Ecommerce Framework Bundle. The AdminOrderController, ConfigController, and OrderController classes were missing permission checks on their kernel controller event methods. Specifically, the onKernelControllerEvent methods did not invoke $this->checkPermission('bundle_ecommerce_back-office_order'), allowing any authenticated user to access the back-office orders list without proper authorization [1][3].

Exploitation

An attacker with a valid, but unauthorized, user session can directly access the order management endpoints. The lack of access control enforcement means that even low-privileged users can query the orders list and retrieve sensitive information returned by the backend [2]. No special network position or additional authentication bypass is required beyond having an authenticated session.

Impact

Successful exploitation allows an unauthorized user to view the complete list of orders, including potentially sensitive customer and transaction data. This violates the principle of least privilege and can lead to information disclosure of business-critical order details [3]. The vulnerability does not require any special privileges within the application beyond authentication.

Mitigation

The vulnerability has been patched in version 1.0.10 of the Ecommerce Framework Bundle. The fix adds $this->checkPermission('bundle_ecommerce_back-office_order') calls in the kernel controller event handlers for the affected controllers [1]. Note that the GPL version of this bundle is now end-of-life (EOL) and has been archived; users are advised to migrate to the Pimcore Enterprise Edition for continued support [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pimcore/ecommerce-framework-bundlePackagist	< 1.0.10	1.0.10

Affected products

ghsa-coords
pkg:composer/pimcore/ecommerce-framework-bundle
Range: < 1.0.10
pimcore/ecommerce-framework-bundlev5
Range: < 1.0.10

Patches

05dec000ed00

[Task]: Improve permission check (#149)

https://github.com/pimcore/ecommerce-framework-bundleJiaJia JiJan 8, 2024via ghsa

commit

6 files changed · +32 −10

src/Controller/AdminOrderController.php+2 −0 modified

@@ -68,6 +68,8 @@ public function __construct(protected TranslatorInterface $translator)
 
     public function onKernelControllerEvent(ControllerEvent $event): void
     {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+
         // set language
         $user = $this->tokenResolver->getUser();

src/Controller/ConfigController.php+8 −1 modified

@@ -16,8 +16,10 @@
 
 namespace Pimcore\Bundle\EcommerceFrameworkBundle\Controller;
 
+use Pimcore\Controller\KernelControllerEventInterface;
 use Pimcore\Controller\UserAwareController;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Routing\RouterInterface;
 
@@ -28,7 +30,7 @@
  *
  * @internal
  */
-class ConfigController extends UserAwareController
+class ConfigController extends UserAwareController implements KernelControllerEventInterface
 {
     /**
      * ConfigController constructor.
@@ -40,6 +42,11 @@ public function __construct(private RouterInterface $router)
         $this->router = $router;
     }
 
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
     /**
      * @Route("/js-config", name="pimcore_ecommerceframework_config_jsconfig", methods={"GET"})
      *

src/Controller/FindologicController.php+9 −2 modified

@@ -16,9 +16,11 @@
 
 namespace Pimcore\Bundle\EcommerceFrameworkBundle\Controller;
 
-use Pimcore\Controller\FrontendController;
+use Pimcore\Controller\KernelControllerEventInterface;
+use Pimcore\Controller\UserAwareController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 
 /**
  * Class FindologicController
@@ -27,8 +29,13 @@
  *
  * @internal
  */
-class FindologicController extends FrontendController
+class FindologicController extends UserAwareController implements KernelControllerEventInterface
 {
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
     /**
      * create xml output for findologic
      */

src/Controller/IndexController.php+8 −1 modified

@@ -19,11 +19,13 @@
 use Pimcore\Bundle\EcommerceFrameworkBundle\Event\AdminEvents;
 use Pimcore\Bundle\EcommerceFrameworkBundle\Factory;
 use Pimcore\Bundle\EcommerceFrameworkBundle\IndexService\ProductList\ProductListInterface;
+use Pimcore\Controller\KernelControllerEventInterface;
 use Pimcore\Controller\Traits\JsonHelperTrait;
 use Pimcore\Controller\UserAwareController;
 use Symfony\Component\EventDispatcher\GenericEvent;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
@@ -35,10 +37,15 @@
  *
  * @internal
  */
-class IndexController extends UserAwareController
+class IndexController extends UserAwareController implements KernelControllerEventInterface
 {
     use JsonHelperTrait;
 
+    public function onKernelControllerEvent(ControllerEvent $event): void
+    {
+        $this->checkPermission('bundle_ecommerce_back-office_order');
+    }
+
     /**
      * @Route("/get-filter-groups", name="pimcore_ecommerceframework_index_getfiltergroups", methods={"GET"})
      *

src/Controller/PricingController.php+1 −4 modified

@@ -43,10 +43,7 @@ class PricingController extends UserAwareController implements KernelControllerE
     public function onKernelControllerEvent(ControllerEvent $event): void
     {
         // permission check
-        $access = $this->getPimcoreUser()->isAllowed('bundle_ecommerce_pricing_rules');
-        if (!$access) {
-            throw new \Exception('this function requires "bundle_ecommerce_pricing_rules" permission!');
-        }
+        $this->checkPermission('bundle_ecommerce_pricing_rules');
     }
 
     /**

src/Controller/VoucherController.php+4 −2 modified

@@ -17,8 +17,8 @@
 namespace Pimcore\Bundle\EcommerceFrameworkBundle\Controller;
 
 use Pimcore\Bundle\EcommerceFrameworkBundle\VoucherService\TokenManager\ExportableTokenManagerInterface;
-use Pimcore\Controller\FrontendController;
 use Pimcore\Controller\KernelControllerEventInterface;
+use Pimcore\Controller\UserAwareController;
 use Pimcore\Model\DataObject;
 use Pimcore\Model\DataObject\Localizedfield;
 use Pimcore\Model\DataObject\OnlineShopVoucherSeries;
@@ -37,7 +37,7 @@
  *
  * @internal
  */
-class VoucherController extends FrontendController implements KernelControllerEventInterface
+class VoucherController extends UserAwareController implements KernelControllerEventInterface
 {
     protected TokenStorageUserResolver $tokenResolver;
 
@@ -55,6 +55,8 @@ public function __construct(TokenStorageUserResolver $tokenStorageUserResolver,
 
     public function onKernelControllerEvent(ControllerEvent $event): void
     {
+        $this->checkPermission('bundle_ecommerce_pricing_rules');
+
         // set language
         $user = $this->tokenResolver->getUser();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cx99-25hr-5jxfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-21665ghsaADVISORY
github.com/pimcore/ecommerce-framework-bundle/blob/ff6ff287b6eb468bb940909c56970363596e5c21/src/Controller/AdminOrderController.phpghsax_refsource_MISCWEB
github.com/pimcore/ecommerce-framework-bundle/commit/05dec000ed009828084d05cf686f468afd1f464eghsax_refsource_MISCWEB
github.com/pimcore/ecommerce-framework-bundle/releases/tag/v1.0.10ghsax_refsource_MISCWEB
github.com/pimcore/ecommerce-framework-bundle/security/advisories/GHSA-cx99-25hr-5jxfghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000