CVE-2023-32064

Published: Nov 28, 2023Modified: Nov 21, 2024

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.

Affected (3)

Products: Oroinc: Orocommerce

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Oroinc Orocommerce	From 4.2.0 to 4.2.8
Oroinc Orocommerce	From 5.0.0 to 5.0.11
Oroinc Orocommerce	From 5.1.0 to 5.1.1

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c

Source: security-advisories@github.com

Vendor Advisory

https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.