CVE-2023-32063

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85	Patch
https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950	Patch
https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g	Vendor Advisory
https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85	Patch
https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950	Patch
https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oroinc:client_relationship_management::::::::
	cpe:2.3:a:oroinc:client_relationship_management::::::::
	cpe:2.3:a:oroinc:client_relationship_management::::::::

History

No history.

Information

Published : 2023-11-28 04:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32063

Mitre link : CVE-2023-32063

CVE.ORG link : CVE-2023-32063

JSON object : View

Products Affected

oroinc

client_relationship_management

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-32063", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2023-11-28T04:15:07.143", "references": [{"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."}, {"lang": "es", "value": "OroCalendarBundle habilita una funci\u00f3n de Calendario y funciones relacionadas en aplicaciones Oro. Los usuarios del back-office pueden acceder a la informaci\u00f3n de cualquier evento de llamada, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. Este problema se solucion\u00f3 en las versiones 5.0.4 y 5.1.1."}], "lastModified": "2024-11-21T08:02:38.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7A1B563-4905-464D-A4B0-A317A2182BA2", "versionEndIncluding": "4.2.5", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3A2D401C-A6CD-48B0-8A5C-A9FD55182189", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E55AC63D-454C-48E3-8FD5-E8521E9554A2", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}