CVE-2023-32063

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

CVSS v3.0 5.0 MEDIUM

5.0^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g	Vendor Advisory
https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85	Patch
https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oroinc:client_relationship_management::::::::
	cpe:2.3:a:oroinc:client_relationship_management::::::::
	cpe:2.3:a:oroinc:client_relationship_management::::::::

Information

Published : 2023-11-28 04:15

Updated : 2023-12-01 21:46

NVD link : CVE-2023-32063

Mitre link : CVE-2023-32063

JSON object : View

Products Affected

oroinc

client_relationship_management

CWE

CWE-284

Improper Access Control

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g", "name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g", "tags": ["Vendor Advisory"], "refsource": ""}, {"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85", "name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85", "tags": ["Patch"], "refsource": ""}, {"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950", "name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950", "tags": ["Patch"], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-284"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-32063", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}}, "publishedDate": "2023-11-28T04:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "4.2.5", "versionStartIncluding": "4.2.0"}, {"cpe23Uri": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}, {"cpe23Uri": "cpe:2.3:a:oroinc:client_relationship_management:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-12-01T21:46Z"}