61 matches found
Unauthorized Access
oro/platform is vulnerable to Unauthorized Access. The vulnerability is due to inadequate access control measures within the OroPlatform's handling of page state data, which allows logged-in users to access the page state data of pinned pages belonging to other users by exploiting pageId hashes...
Information Disclosure
OroPlatform is vulnerable to Information Disclosure. The vulnerability is due to insufficient access control mechanisms in OroPlatform's JSON navigation response. Specifically, sensitive navigation history, most viewed, and favorite navigation items are disclosed to a storefront user if their ID...
CVE-2023-48296
OroPlatform is a PHP Business Application Platform BAP. Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4...
CVE-2023-45824
OroPlatform is a PHP Business Application Platform BAP. A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4...
CVE-2023-48296 OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
OroPlatform is a PHP Business Application Platform BAP. Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4...
CVE-2023-48296
Summary: OroPlatform (PHP BAP) contains an information disclosure vulnerability in the JSON navigation response. If a storefront user’s ID matches a back-office user’s ID, the response leaks navigation history, as well as most viewed and favorite navigation items. Root cause: Insufficient access ...
CVE-2023-48296 OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
OroPlatform is a PHP Business Application Platform BAP. Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4...
CVE-2023-48296 OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
OroPlatform is a PHP Business Application Platform BAP. Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4...
CVE-2023-45824
The CVE-2023-45824 issue affects OroPlatform (PHP BAP). A logged-in user can access page state data of pinned pages belonging to other users by using a pageId hash. Publicly documented details indicate this affects OroPlatform versions across multiple lines: 4.2.0–4.2.10, 5.0.0–5.0.12, and 5.1.0–...
CVE-2023-45824 OroPlatform's pinned entity creation form shows pages of other users
OroPlatform is a PHP Business Application Platform BAP. A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4...
CVE-2023-45824 OroPlatform's pinned entity creation form shows pages of other users
OroPlatform is a PHP Business Application Platform BAP. A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4...
CVE-2023-45824 OroPlatform's pinned entity creation form shows pages of other users
OroPlatform is a PHP Business Application Platform BAP. A logged in user can access page state data of pinned pages of other users by pageId hash. This vulnerability is fixed in 5.1.4...
PT-2024-13289 · Unknown · Oroplatform
Name of the Vulnerable Software and Affected Versions: OroPlatform versions prior to 5.1.4 Description: A logged in user can access page state data of pinned pages of other users by pageId hash. This issue allows unauthorized access to sensitive information. Recommendations: For versions prior to...
OroPlatform 安全漏洞
OroPlatform is a PHP Business Application Platform BAP designed to make the development of custom business applications easier and faster. A security vulnerability exists in OroPlatform that originates from allowing logged-in users to access page state data from other users' fixed pages via pageI...
OroCalendarBundle has incorrect system calendar events visibility
OroPlatform is a package that assist system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks...
GHSA-X2XM-P6VQ-482G OroCalendarBundle has incorrect system calendar events visibility
OroPlatform is a package that assist system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks...
OroPlatform vulnerable to path traversal during temporary file manipulations
Impact Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted...
GHSA-9V3J-4J64-P937 OroPlatform vulnerable to path traversal during temporary file manipulations
Impact Path Traversal is possible in Oro\Bundle\GaufretteBundle\FileManager::getTemporaryFileName. With this method, an attacker can pass the path to a non-existent file, which will allow writing the content to a new file that will be available during script execution. The file will be deleted...
CVE-2023-32062
OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1...
Security feature bypass
OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1...