Lucene search

Veracode Vulnerability DatabaseVERACODE:44456

HistoryNov 29, 2023 - 6:20 a.m.

Improper Access Control

2023-11-2906:20:18

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

permission checks

system calendar event

back-office users

acl security restrictions

software

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.6%

JSON

oro/calendar-bundle is vulnerable to Improper Access Control. The vulnerability exists due to the lack of permission checks in the checkPermissions function of SystemCalendarEventController.php. This allows back-office users to access information from any system calendar event, bypassing ACL security restrictions.

CPENameOperatorVersion
oro/calendar-bundlele5.0.6
oro/calendar-bundlele5.1.0
oro/calendar-bundlele5.0.6
oro/calendar-bundlele5.1.0

Name	Operator	Version
oro/calendar-bundle	le	5.0.6
oro/calendar-bundle	le	5.1.0
oro/calendar-bundle	le	5.0.6
oro/calendar-bundle	le	5.1.0

References

github.com/advisories/GHSA-x2xm-p6vq-482g

github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g

github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b

github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.6%

JSON

Related for VERACODE:44456