Lucene search
GitHub Advisory DatabaseGHSA-VXQ2-P937-3PX3HistoryMar 25, 2024 - 7:39 p.m.
Pinned entity creation form shows wrong data
2024-03-2519:39:21
CWE-200
GitHub Advisory Database
github.com
10
access control
data leakage
security patch
entity manipulation.
CVSS3
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
6.9
Confidence
High
EPSS
0
Percentile
9.0%
Impact
Logged in user can access page state data of pinned pages of other users by pageId hash.
Patch
--- src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php
+++ src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php
@@ -158,6 +158,13 @@
AbstractPageState::generateHash($this->get('request_stack')->getCurrentRequest()->get('pageId'))
);
+ if ($entity) {
+ $entity = $this->getEntity($entity->getId());
+ }
+ if (!$entity) {
+ return $this->handleNotFound();
+ }
+
return $this->handleView($this->view($this->getState($entity), Response::HTTP_OK));
}
Affected configurations
Node
oroplatformRange4.2.0–4.2.10
ORoroplatformRange5.0.0–5.0.12
ORoroplatformRange5.1.0–5.1.3
Related
nvd
nvd
CVE-2023-45824
2024-03-25 19:15:57
cvelist
cvelist
osv
osv
CVE-2023-45824
2024-03-25 19:15:57
Pinned entity creation form shows wrong data
2024-03-25 19:39:21
veracode
veracode
Unauthorized Access
2024-03-29 13:16:43
cve
cve
CVE-2023-45824
2024-03-25 19:15:57
vulnrichment
vulnrichment
CVSS3
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AI Score
6.9
Confidence
High
EPSS
0
Percentile
9.0%
Related for GHSA-VXQ2-P937-3PX3