CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32063 – OroCRMCallBundle has incorrect call view page visibility
https://notcve.org/view.php?id=CVE-2023-32063
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1. OroCalendarBundle habilita una función de Calendario y funciones relacionadas en aplicaciones Oro. Los usuarios del back-office pueden acceder a la información de cualquier evento de llamada, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. • https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85 https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950 https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g • CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39198 – The disqualify lead action may be executed without CSRF token check
https://notcve.org/view.php?id=CVE-2021-39198
OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package. OroCRM es una aplicación de Administración de Relaciones con los Clientes (CRM) de código abierto. Las versiones afectadas sufren de una vulnerabilidad que podría un atacante es capaz de descalificar cualquier Lead con un ataque de tipo Cross-Site Request Forgery (CSRF). • https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43 • CWE-352: Cross-Site Request Forgery (CSRF) •