CVE-2024-21665 MEDIUM

CVE-2024-21665: Pimcore Ecommerce Framework Bundle Improper Access Control allows unprivileged user to access back-office orders list

Vendor Pimcore
Product ecommerce-framework-bundle
Weakness CWE-284
Published January 11, 2024
Last update June 17, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10.

Key dates

02Disclosure timeline

January 11, 2024 CVE published
June 17, 2025 Record updated