CVE-2023-32064

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c	Vendor Advisory
https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:oroinc:orocommerce::::::::
	cpe:2.3:a:oroinc:orocommerce::::::::
	cpe:2.3:a:oroinc:orocommerce::::::::

History

21 Nov 2024, 08:02

Type	Values Removed	Values Added
References	~~() https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c - Vendor Advisory~~	() https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 5.0

01 Dec 2023, 22:01

Type	Values Removed	Values Added
References	~~() https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c -~~	() https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c - Vendor Advisory
First Time		Oroinc orocommerce Oroinc
CPE		cpe:2.3:a:oroinc:orocommerce::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

28 Nov 2023, 04:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-28 04:15

Updated : 2024-11-21 08:02

NVD link : CVE-2023-32064

Mitre link : CVE-2023-32064

CVE.ORG link : CVE-2023-32064

JSON object : View

Products Affected

oroinc

orocommerce

CWE

CWE-284

Improper Access Control

{"id": "CVE-2023-32064", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-11-28T04:15:07.360", "references": [{"url": "https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.\n\n"}, {"lang": "es", "value": "Paquete OroCommerce con portal para clientes y funciones b\u00e1sicas de sitio web para visitantes no autenticados. Los usuarios del back-office pueden acceder a informaci\u00f3n sobre los men\u00fas del Cliente y del Usuario del Cliente, evitando las restricciones de seguridad de ACL debido a controles de seguridad insuficientes. Este problema se solucion\u00f3 en las versiones 5.0.11 y 5.1.1."}], "lastModified": "2024-11-21T08:02:38.470", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oroinc:orocommerce:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E0C45BF-56A3-480F-AC47-7811E56CF653", "versionEndIncluding": "4.2.8", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:oroinc:orocommerce:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A2DBB10-E76F-4210-943D-9FF29CD90538", "versionEndExcluding": "5.0.11", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:oroinc:orocommerce:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA4A911B-D810-45B3-BCAA-ABD4EF968657", "versionEndExcluding": "5.1.1", "versionStartIncluding": "5.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}