Headline
GHSA-8gwj-68w6-7v6c: OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-32064
OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
Moderate severity GitHub Reviewed Published Nov 27, 2023 in oroinc/orocommerce • Updated Nov 27, 2023
Package
composer oro/customer-portal (Composer)
Affected versions
>= 4.2.0, <= 4.2.8
>= 5.0.0, < 5.0.11
>= 5.1.0, < 5.1.1
Patched versions
5.0.11
5.1.1
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.
References
- GHSA-8gwj-68w6-7v6c
Published to the GitHub Advisory Database
Nov 27, 2023
Last updated
Nov 27, 2023
Related news
OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.