CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32063 – OroCRMCallBundle has incorrect call view page visibility
https://notcve.org/view.php?id=CVE-2023-32063
28 Nov 2023 — OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1. OroCalendarBundle habilita una función de Calendario y funciones relacionadas en aplicaciones Oro. Los usuarios del back-office pueden acceder a la información de cualquier evento de llamada, evitando las restricciones de segurid... • https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85 • CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-39198 – The disqualify lead action may be executed without CSRF token check
https://notcve.org/view.php?id=CVE-2021-39198
19 Nov 2021 — OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package. OroCRM es una aplicación de Administración de Relaciones con los Clientes (CRM) de código abierto. Las versiones afectadas sufren de una vulnerabilidad que podría un a... • https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43 • CWE-352: Cross-Site Request Forgery (CSRF) •