CVE-2023-32062

OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b	Patch
https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531	Patch
https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oroinc:oroplatform::::::::
	cpe:2.3:a:oroinc:oroplatform::::::::
	cpe:2.3:a:oroinc:oroplatform::::::::

History

No history.

Information

Published : 2023-11-27 22:15

Updated : 2023-12-01 19:23

NVD link : CVE-2023-32062

Mitre link : CVE-2023-32062

CVE.ORG link : CVE-2023-32062

JSON object : View

Products Affected

oroinc

oroplatform

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-32062", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}]}, "published": "2023-11-27T22:15:07.660", "references": [{"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."}, {"lang": "es", "value": "OroPlatform es un paquete que ayuda a la gesti\u00f3n del calendario del usuario y del sistema. Los usuarios del back-office pueden acceder a la informaci\u00f3n de cualquier evento del calendario del sistema, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 5.1.1."}], "lastModified": "2023-12-01T19:23:09.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4F4894B-25D0-4CA4-9507-270AA1DB43DF", "versionEndIncluding": "4.2.6", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FF11919-29C5-4E1F-AB3C-2D4B61D0001A", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "378BFE9F-25E2-4333-B947-D0FDB9F18590", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}