CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48296 – OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
https://notcve.org/view.php?id=CVE-2023-48296
OroPlatform is a PHP Business Application Platform (BAP). Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4. OroPlatform es una plataforma de aplicaciones empresariales (BAP) PHP. El historial de navegación y los elementos de navegación más vistos y favoritos se devuelven al usuario de la tienda en la respuesta de navegación JSON si el ID del usuario de la tienda coincide con el ID del usuario de la oficina administrativa. • https://github.com/oroinc/orocommerce/commit/41c526498012d44cd88852c63697f1ef53b61db8 https://github.com/oroinc/orocommerce/security/advisories/GHSA-v7px-46v9-5qwp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45824 – OroPlatform's pinned entity creation form shows pages of other users
https://notcve.org/view.php?id=CVE-2023-45824
OroPlatform is a PHP Business Application Platform (BAP). A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4. OroPlatform es una plataforma de aplicaciones empresariales (BAP) PHP. Un usuario que ha iniciado sesión puede acceder a los datos del estado de la página de las páginas fijadas de otros usuarios mediante el hash de ID de página. • https://github.com/oroinc/platform/commit/cf94df7595afca052796e26b299d2ce031e289cd https://github.com/oroinc/platform/security/advisories/GHSA-vxq2-p937-3px3 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32065 – OroCommerce get-totals-for-checkout API endpoint returns unwanted data
https://notcve.org/view.php?id=CVE-2023-32065
OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1. OroCommerce es una aplicación de comercio entre empresas de código abierto creada teniendo en cuenta la flexibilidad. Se puede recibir información detallada sobre los totales de los pedidos mediante el ID del pedido. • https://github.com/oroinc/orocommerce/security/advisories/GHSA-88g2-xgh9-4ph2 • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32064 – OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
https://notcve.org/view.php?id=CVE-2023-32064
OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1. Paquete OroCommerce con portal para clientes y funciones básicas de sitio web para visitantes no autenticados. Los usuarios del back-office pueden acceder a información sobre los menús del Cliente y del Usuario del Cliente, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. • https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32063 – OroCRMCallBundle has incorrect call view page visibility
https://notcve.org/view.php?id=CVE-2023-32063
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1. OroCalendarBundle habilita una función de Calendario y funciones relacionadas en aplicaciones Oro. Los usuarios del back-office pueden acceder a la información de cualquier evento de llamada, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. • https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85 https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950 https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g • CWE-284: Improper Access Control •