CVE-2023-32064

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.

Published: Nov 28, 2023
Updated: May 10, 2024
CVE: CVE-2023-32064
GHSA: GHSA-8gwj-68w6-7v6c
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
oro / customer-portal	4.2.0	4.2.8.x
oro / customer-portal	5.0.0	5.0.11
oro / customer-portal	5.1.0	5.1.1
oroinc / orocommerce	5.1.0	5.1.1
oroinc / orocommerce	5.0.0	5.0.11
oroinc / orocommerce	4.2.0	4.2.8.x

https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c

Vulnerability Database

CVE-2023-32064

Deep Security Visibility Without the Complexity