Headline
CVE-2023-32064: Incorrect Customer and Customer Group Frontend Menus pages visibility
OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Search code, repositories, users, issues, pull requests…
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Moderate
dkhrysev published GHSA-8gwj-68w6-7v6c
Nov 27, 2023
Package
composer oro/customer-portal (Composer)
Affected versions
>=4.2.0, <=4.2.8 || >=5.0.0, <=5.0.10 || >=5.1.0, <5.1.1
Patched versions
5.1.1, 5.0.11
Description
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.
Severity
CVSS base metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Related news
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.