CVE-2023-32063

MEDIUM

Oroinc Client Relationship Management - Improper Access Control

Title source: rule

Description

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g

Patch x_refsource_misc

https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950

View Patch ZIP pw:eip

Scores

CVSS v3 5.0

EPSS 0.0019

EPSS Percentile 41.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Details

CWE

CWE-284

Status published

Products (2)

oro/crm-call-bundle 4.2.0Packagist

oroinc/client_relationship_management 4.2.0 - 4.2.5

Published Nov 28, 2023

Tracked Since Feb 18, 2026