Search
Find a vulnerability
Search criteria
6 vulnerabilities found for crm by oroinc
CVE-2023-32063 (GCVE-0-2023-32063)
Vulnerability from nvd – Published: 2023-11-28 03:30 – Updated: 2024-08-02 15:03
VLAI
Title
OroCRMCallBundle has incorrect call view page visibility
Summary
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
Severity
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
| https://github.com/oroinc/OroCRMCallBundle/commit… | x_refsource_MISC |
| https://github.com/oroinc/OroCRMCallBundle/commit… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c= 4.2.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.4"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T03:30:22.578Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
}
],
"source": {
"advisory": "GHSA-897w-jv7j-6r7g",
"discovery": "UNKNOWN"
},
"title": "OroCRMCallBundle has incorrect call view page visibility"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32063",
"datePublished": "2023-11-28T03:30:22.578Z",
"dateReserved": "2023-05-01T16:47:35.314Z",
"dateUpdated": "2024-08-02T15:03:28.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32062 (GCVE-0-2023-32062)
Vulnerability from nvd – Published: 2023-11-27 20:58 – Updated: 2024-08-02 15:03
VLAI
Title
OroCalendarBundle has incorrect system calendar events visibility
Summary
OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.
Severity
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
| https://github.com/oroinc/OroCalendarBundle/commi… | x_refsource_MISC |
| https://github.com/oroinc/OroCalendarBundle/commi… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c= 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c= 5.0.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T20:58:35.357Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
}
],
"source": {
"advisory": "GHSA-x2xm-p6vq-482g",
"discovery": "UNKNOWN"
},
"title": "OroCalendarBundle has incorrect system calendar events visibility"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32062",
"datePublished": "2023-11-27T20:58:35.357Z",
"dateReserved": "2023-05-01T16:47:35.313Z",
"dateUpdated": "2024-08-02T15:03:28.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39198 (GCVE-0-2021-39198)
Vulnerability from nvd – Published: 2021-11-19 21:30 – Updated: 2024-08-04 01:58
VLAI
Title
The disqualify lead action may be executed without CSRF token check
Summary
OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.
Severity
4.2 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e=4.2.0, \u003c 4.2.7"
},
{
"status": "affected",
"version": "\u003c 4.1.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T21:30:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
],
"source": {
"advisory": "GHSA-vf7h-6246-hm43",
"discovery": "UNKNOWN"
},
"title": "The disqualify lead action may be executed without CSRF token check",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39198",
"STATE": "PUBLIC",
"TITLE": "The disqualify lead action may be executed without CSRF token check"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "crm",
"version": {
"version_data": [
{
"version_value": "\u003e=4.2.0, \u003c 4.2.7"
},
{
"version_value": "\u003c 4.1.17"
}
]
}
}
]
},
"vendor_name": "oroinc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43",
"refsource": "CONFIRM",
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
]
},
"source": {
"advisory": "GHSA-vf7h-6246-hm43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39198",
"datePublished": "2021-11-19T21:30:09.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:58:18.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32063 (GCVE-0-2023-32063)
Vulnerability from cvelistv5 – Published: 2023-11-28 03:30 – Updated: 2024-08-02 15:03
VLAI
Title
OroCRMCallBundle has incorrect call view page visibility
Summary
OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.
Severity
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
| https://github.com/oroinc/OroCRMCallBundle/commit… | x_refsource_MISC |
| https://github.com/oroinc/OroCRMCallBundle/commit… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.874Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c= 4.2.5"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.4"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-28T03:30:22.578Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7g"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85"
},
{
"name": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950"
}
],
"source": {
"advisory": "GHSA-897w-jv7j-6r7g",
"discovery": "UNKNOWN"
},
"title": "OroCRMCallBundle has incorrect call view page visibility"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32063",
"datePublished": "2023-11-28T03:30:22.578Z",
"dateReserved": "2023-05-01T16:47:35.314Z",
"dateUpdated": "2024-08-02T15:03:28.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32062 (GCVE-0-2023-32062)
Vulnerability from cvelistv5 – Published: 2023-11-27 20:58 – Updated: 2024-08-02 15:03
VLAI
Title
OroCalendarBundle has incorrect system calendar events visibility
Summary
OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.
Severity
5 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
| https://github.com/oroinc/OroCalendarBundle/commi… | x_refsource_MISC |
| https://github.com/oroinc/OroCalendarBundle/commi… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.737Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.0, \u003c= 4.2.6"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c= 5.0.6"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-27T20:58:35.357Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b"
},
{
"name": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531"
}
],
"source": {
"advisory": "GHSA-x2xm-p6vq-482g",
"discovery": "UNKNOWN"
},
"title": "OroCalendarBundle has incorrect system calendar events visibility"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32062",
"datePublished": "2023-11-27T20:58:35.357Z",
"dateReserved": "2023-05-01T16:47:35.313Z",
"dateUpdated": "2024-08-02T15:03:28.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-39198 (GCVE-0-2021-39198)
Vulnerability from cvelistv5 – Published: 2021-11-19 21:30 – Updated: 2024-08-04 01:58
VLAI
Title
The disqualify lead action may be executed without CSRF token check
Summary
OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package.
Severity
4.2 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/oroinc/crm/security/advisories… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:58:18.171Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "crm",
"vendor": "oroinc",
"versions": [
{
"status": "affected",
"version": "\u003e=4.2.0, \u003c 4.2.7"
},
{
"status": "affected",
"version": "\u003c 4.1.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-19T21:30:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
],
"source": {
"advisory": "GHSA-vf7h-6246-hm43",
"discovery": "UNKNOWN"
},
"title": "The disqualify lead action may be executed without CSRF token check",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-39198",
"STATE": "PUBLIC",
"TITLE": "The disqualify lead action may be executed without CSRF token check"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "crm",
"version": {
"version_data": [
{
"version_value": "\u003e=4.2.0, \u003c 4.2.7"
},
{
"version_value": "\u003c 4.1.17"
}
]
}
}
]
},
"vendor_name": "oroinc"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OroCRM is an open source Client Relationship Management (CRM) application. Affected versions we found to suffer from a vulnerability which could an attacker is able to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this vulnerability and all users are advised to update their package."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352: Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43",
"refsource": "CONFIRM",
"url": "https://github.com/oroinc/crm/security/advisories/GHSA-vf7h-6246-hm43"
}
]
},
"source": {
"advisory": "GHSA-vf7h-6246-hm43",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-39198",
"datePublished": "2021-11-19T21:30:09.000Z",
"dateReserved": "2021-08-16T00:00:00.000Z",
"dateUpdated": "2024-08-04T01:58:18.171Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}