CVE-2023-32063

Published: Nov 28, 2023Modified: Nov 21, 2024

5.0

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Exploitability: 3.1 / Impact: 1.4

Source: NVD

Description

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

Affected (3)

Products: Oroinc: Client Relationship Management

1 product

Client Relationship Management

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Oroinc Client Relationship Management	From 4.2.0 to 4.2.5
Oroinc Client Relationship Management	From 5.0.0 to 5.0.4
Oroinc Client Relationship Management	From 5.1.0 to 5.1.1

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85

Source: security-advisories@github.com

Patch

https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950

Source: security-advisories@github.com

Patch

https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g

Source: security-advisories@github.com

Vendor Advisory

https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.