Lucene search

K
githubGitHub Advisory DatabaseGHSA-897W-JV7J-6R7G
HistoryNov 27, 2023 - 11:29 p.m.

OroCRMCallBundle has incorrect call view page visibility

2023-11-2723:29:31
CWE-284
GitHub Advisory Database
github.com
2
orocrmcallbundle
incorrect visibility
back-office
acl security restrictions
insufficient security checks
software

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.6%

Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks.

Affected configurations

Vulners
Node
orocrm-call-bundleRange<5.1.1
OR
orocrm-call-bundleRange<5.0.4
OR
orocrm-call-bundleRange4.2.5

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

6.9 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

21.6%

Related for GHSA-897W-JV7J-6R7G