CVE-2023-32064
MEDIUMOroCommerce 4.2.0-4.2.7 - Authenticated Improper Access Control via Customer Menu ACL Bypass
Title source: llmDescription
OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6c
Scores
CVSS v3
5.0
EPSS
0.0050
EPSS Percentile
38.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Details
CWE
CWE-284
Status
published
Products (2)
oro/customer-portal
4.2.0Packagist
oroinc/orocommerce
4.2.0 - 4.2.8
Published
Nov 28, 2023
Tracked Since
Feb 18, 2026