Vulnerability Details CVE-2023-32063
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.8%
CVSS Severity
CVSS v3 Score 5.0
References
- https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85
- https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950
- https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g
- https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85
- https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950
- https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g
Products affected by CVE-2023-32063
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.0
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.1
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.2
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.3
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.4
-
cpe:2.3:a:oroinc:client_relationship_management:4.2.5
-
cpe:2.3:a:oroinc:client_relationship_management:5.0.0
-
cpe:2.3:a:oroinc:client_relationship_management:5.0.1
-
cpe:2.3:a:oroinc:client_relationship_management:5.0.2
-
cpe:2.3:a:oroinc:client_relationship_management:5.0.3
-
cpe:2.3:a:oroinc:client_relationship_management:5.1.0