CVE-2023-32062

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

O

roPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.

References

Link	Resource
https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b	Patch
https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531	Patch
https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g	Vendor Advisory
https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b	Patch
https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531	Patch
https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oroinc:oroplatform::::::::
	cpe:2.3:a:oroinc:oroplatform::::::::
	cpe:2.3:a:oroinc:oroplatform::::::::

History

21 Nov 2024, 08:02

Type	Values Removed	Values Added
References	~~() https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b - Patch~~	() https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b - Patch
References	~~() https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531 - Patch~~	() https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531 - Patch
References	~~() https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g - Vendor Advisory~~	() https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 5.0

Information

Published : 2023-11-27 22:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32062

Mitre link : CVE-2023-32062

CVE.ORG link : CVE-2023-32062

JSON object : View

Products Affected

oroplatform

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-32062", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-11-27T22:15:07.660", "references": [{"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."}, {"lang": "es", "value": "OroPlatform es un paquete que ayuda a la gesti\u00f3n del calendario del usuario y del sistema. Los usuarios del back-office pueden acceder a la informaci\u00f3n de cualquier evento del calendario del sistema, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 5.1.1."}], "lastModified": "2024-11-21T08:02:38.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4F4894B-25D0-4CA4-9507-270AA1DB43DF", "versionEndIncluding": "4.2.6", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8FF11919-29C5-4E1F-AB3C-2D4B61D0001A", "versionEndExcluding": "5.0.7", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:oroinc:oroplatform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "378BFE9F-25E2-4333-B947-D0FDB9F18590", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}