Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for crm by oroinc

    CVE-2023-32063 (GCVE-0-2023-32063)

    Vulnerability from nvd – Published: 2023-11-28 03:30 – Updated: 2024-08-02 15:03
    VLAI
    Title
    OroCRMCallBundle has incorrect call view page visibility
    Summary
    OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >= 4.2.0, <= 4.2.5
    Affected: >= 5.0.0, < 5.0.4
    Affected: >= 5.1.0, < 5.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.874Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
              },
              {
                "name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
              },
              {
                "name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c= 4.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.0.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.1.0, \u003c 5.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-28T03:30:22.578Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
            },
            {
              "name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
            },
            {
              "name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
            }
          ],
          "source": {
            "advisory": "GHSA-897w-jv7j-6r7g",
            "discovery": "UNKNOWN"
          },
          "title": "OroCRMCallBundle has incorrect call view page visibility"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32063",
        "datePublished": "2023-11-28T03:30:22.578Z",
        "dateReserved": "2023-05-01T16:47:35.314Z",
        "dateUpdated": "2024-08-02T15:03:28.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32062 (GCVE-0-2023-32062)

    Vulnerability from nvd – Published: 2023-11-27 20:58 – Updated: 2024-08-02 15:03
    VLAI
    Title
    OroCalendarBundle has incorrect system calendar events visibility
    Summary
    OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >= 4.2.0, <= 4.2.6
    Affected: >= 5.0.0, <= 5.0.6
    Affected: >= 5.1.0, < 5.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
              },
              {
                "name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
              },
              {
                "name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c= 4.2.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c= 5.0.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.1.0, \u003c 5.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-27T20:58:35.357Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
            },
            {
              "name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
            },
            {
              "name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
            }
          ],
          "source": {
            "advisory": "GHSA-x2xm-p6vq-482g",
            "discovery": "UNKNOWN"
          },
          "title": "OroCalendarBundle has incorrect system calendar events visibility"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32062",
        "datePublished": "2023-11-27T20:58:35.357Z",
        "dateReserved": "2023-05-01T16:47:35.313Z",
        "dateUpdated": "2024-08-02T15:03:28.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39198 (GCVE-0-2021-39198)

    Vulnerability from nvd – Published: 2021-11-19 21:30 – Updated: 2024-08-04 01:58
    VLAI
    Title
    The disqualify lead action may be executed without CSRF token check
    Summary
    OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >=4.2.0, < 4.2.7
    Affected: < 4.1.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:18.171Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=4.2.0, \u003c 4.2.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-19T21:30:09.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
            }
          ],
          "source": {
            "advisory": "GHSA-vf7h-6246-hm43",
            "discovery": "UNKNOWN"
          },
          "title": "The disqualify lead action may be executed without CSRF token check",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-39198",
              "STATE": "PUBLIC",
              "TITLE": "The disqualify lead action may be executed without CSRF token check"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "crm",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=4.2.0, \u003c 4.2.7"
                              },
                              {
                                "version_value": "\u003c 4.1.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "oroinc"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-vf7h-6246-hm43",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-39198",
        "datePublished": "2021-11-19T21:30:09.000Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-08-04T01:58:18.171Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32063 (GCVE-0-2023-32063)

    Vulnerability from cvelistv5 – Published: 2023-11-28 03:30 – Updated: 2024-08-02 15:03
    VLAI
    Title
    OroCRMCallBundle has incorrect call view page visibility
    Summary
    OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >= 4.2.0, <= 4.2.5
    Affected: >= 5.0.0, < 5.0.4
    Affected: >= 5.1.0, < 5.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.874Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
              },
              {
                "name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
              },
              {
                "name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c= 4.2.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c 5.0.4"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.1.0, \u003c 5.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-28T03:30:22.578Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
            },
            {
              "name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
            },
            {
              "name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
            }
          ],
          "source": {
            "advisory": "GHSA-897w-jv7j-6r7g",
            "discovery": "UNKNOWN"
          },
          "title": "OroCRMCallBundle has incorrect call view page visibility"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32063",
        "datePublished": "2023-11-28T03:30:22.578Z",
        "dateReserved": "2023-05-01T16:47:35.314Z",
        "dateUpdated": "2024-08-02T15:03:28.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-32062 (GCVE-0-2023-32062)

    Vulnerability from cvelistv5 – Published: 2023-11-27 20:58 – Updated: 2024-08-02 15:03
    VLAI
    Title
    OroCalendarBundle has incorrect system calendar events visibility
    Summary
    OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >= 4.2.0, <= 4.2.6
    Affected: >= 5.0.0, <= 5.0.6
    Affected: >= 5.1.0, < 5.1.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T15:03:28.737Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
              },
              {
                "name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
              },
              {
                "name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 4.2.0, \u003c= 4.2.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.0.0, \u003c= 5.0.6"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 5.1.0, \u003c 5.1.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284: Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-11-27T20:58:35.357Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
            },
            {
              "name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
            },
            {
              "name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
            }
          ],
          "source": {
            "advisory": "GHSA-x2xm-p6vq-482g",
            "discovery": "UNKNOWN"
          },
          "title": "OroCalendarBundle has incorrect system calendar events visibility"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-32062",
        "datePublished": "2023-11-27T20:58:35.357Z",
        "dateReserved": "2023-05-01T16:47:35.313Z",
        "dateUpdated": "2024-08-02T15:03:28.737Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-39198 (GCVE-0-2021-39198)

    Vulnerability from cvelistv5 – Published: 2021-11-19 21:30 – Updated: 2024-08-04 01:58
    VLAI
    Title
    The disqualify lead action may be executed without CSRF token check
    Summary
    OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    oroinc crm Affected: >=4.2.0, < 4.2.7
    Affected: < 4.1.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T01:58:18.171Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "crm",
              "vendor": "oroinc",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e=4.2.0, \u003c 4.2.7"
                },
                {
                  "status": "affected",
                  "version": "\u003c 4.1.17"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-11-19T21:30:09.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
            }
          ],
          "source": {
            "advisory": "GHSA-vf7h-6246-hm43",
            "discovery": "UNKNOWN"
          },
          "title": "The disqualify lead action may be executed without CSRF token check",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2021-39198",
              "STATE": "PUBLIC",
              "TITLE": "The disqualify lead action may be executed without CSRF token check"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "crm",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003e=4.2.0, \u003c 4.2.7"
                              },
                              {
                                "version_value": "\u003c 4.1.17"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "oroinc"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-352: Cross-Site Request Forgery (CSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-vf7h-6246-hm43",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2021-39198",
        "datePublished": "2021-11-19T21:30:09.000Z",
        "dateReserved": "2021-08-16T00:00:00.000Z",
        "dateUpdated": "2024-08-04T01:58:18.171Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }