CVE-2023-32065
OroCommerce get-totals-for-checkout API endpoint returns unwanted data
Severity Score
5.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1.
OroCommerce es una aplicación de comercio entre empresas de código abierto creada teniendo en cuenta la flexibilidad. Se puede recibir información detallada sobre los totales de los pedidos mediante el ID del pedido. Este problema se solucionó en las versiones 5.0.11 y 5.1.1.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-05-01 CVE Reserved
- 2023-11-28 CVE Published
- 2024-08-02 CVE Updated
- 2024-10-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-284: Improper Access Control
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/oroinc/orocommerce/security/advisories/GHSA-88g2-xgh9-4ph2 | 2023-12-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oroinc Search vendor "Oroinc" | Orocommerce Search vendor "Oroinc" for product "Orocommerce" | >= 4.2.0 <= 4.2.10 Search vendor "Oroinc" for product "Orocommerce" and version " >= 4.2.0 <= 4.2.10" | - |
Affected
| ||||||
| Oroinc Search vendor "Oroinc" | Orocommerce Search vendor "Oroinc" for product "Orocommerce" | >= 5.0.0 < 5.0.11 Search vendor "Oroinc" for product "Orocommerce" and version " >= 5.0.0 < 5.0.11" | - |
Affected
| ||||||
| Oroinc Search vendor "Oroinc" | Orocommerce Search vendor "Oroinc" for product "Orocommerce" | >= 5.1.0 < 5.1.1 Search vendor "Oroinc" for product "Orocommerce" and version " >= 5.1.0 < 5.1.1" | - |
Affected
| ||||||