CVE-2023-45824

MEDIUM4.3EPSS 0.24%

Pinned entity creation form shows wrong data

Published: 3/25/2024Modified: 3/25/2024

Description

### Impact Logged in user can access page state data of pinned pages of other users by pageId hash. ### Patch ```patch --- src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php +++ src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php @@ -158,6 +158,13 @@ AbstractPageState::generateHash($this->get('request_stack')->getCurrentRequest()->get('pageId')) ); + if ($entity) { + $entity = $this->getEntity($entity->getId()); + } + if (!$entity) { + return $this->handleNotFound(); + } + return $this->handleView($this->view($this->getState($entity), Response::HTTP_OK)); } ```

Affected packages (1)

Packagist/oro/platform>= 5.1.0, < 5.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-45824
PATCHhttps://github.com/oroinc/platform
WEBhttps://github.com/oroinc/platform/commit/cf94df7595afca052796e26b299d2ce031e289cd
WEBhttps://github.com/oroinc/platform/security/advisories/GHSA-vxq2-p937-3px3