Lucene search

Veracode Vulnerability DatabaseVERACODE:44473

HistoryNov 29, 2023 - 9:58 a.m.

Information Disclosure

2023-11-2909:58:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

oro/commerce

vulnerability

information disclosure

order id

access control

bypass

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

oro/commerce is vulnerable to Information Disclosure. The vulnerability allows back-office users to bypass access control (ACL) restrictions and access detailed order totals information by simply knowing the order ID.

CPENameOperatorVersion
oro/commercele5.1.0
oro/commercele5.1.0

CPE	Name	Operator	Version
	oro/commerce	le	5.1.0
	oro/commerce	le	5.1.0

References

github.com/advisories/GHSA-88g2-xgh9-4ph2

github.com/oroinc/orocommerce/commit/b7746aabb3db4be9584654e1694fc45a9c149301

github.com/oroinc/orocommerce/security/advisories/GHSA-88g2-xgh9-4ph2

5.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

6.8 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.1%

JSON

Related for VERACODE:44473