CVE-2023-32063

EUVD-2023-2919
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
GitHub_MCNA
5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 41%
Affected Products (NVD)
VendorProductVersion
oroincclient_relationship_management
4.2.0 ≤
𝑥
≤ 4.2.5
oroincclient_relationship_management
5.0.0 ≤
𝑥
< 5.0.4
oroincclient_relationship_management
5.1.0 ≤
𝑥
< 5.1.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85
https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950
https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g
https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85
https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950
https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g