CVE-2023-32063

EPSS 0.54%
Veröffentlicht 28.11.2023 04:15:07
Zuletzt bearbeitet 21.11.2024 08:02:38
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OroCRMCallBundle has incorrect call view page visibility

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Oroinc ≫ Client Relationship Management Version >= 4.2.0 <= 4.2.5

Oroinc ≫ Client Relationship Management Version >= 5.0.0 < 5.0.4

Oroinc ≫ Client Relationship Management Version >= 5.1.0 < 5.1.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.54%	0.409

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
security-advisories@github.com	5	3.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85

Patch

https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950

Patch

https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-32063

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32063

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32063

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-32063