Khrysev

**Nome do software vulnerável e versões afetadas** Versões do OroPlatform anteriores à 5.1.4 **Descrição** O problema diz respeito ao OroPlatform, uma plataforma de aplicativos de negócios (BAP) em PHP, na qual o histórico de navegação, os itens mais visualizados e os favoritos são exibidos para um usuário da loja virtual em uma resposta de navegação JSON, caso o ID desse usuário coincida com o ID de um usuário do back-office. **Recomendações** Para versões anteriores à 5.1.4, atualize para a versão 5.1.4 para resolver o problema. Como solução alternativa temporária, considere restringir o acesso a itens de navegação confidenciais até que a atualização seja aplicada.

**Nome do software vulnerável e versões afetadas** Versões do OroPlatform anteriores à 5.1.4 **Descrição** Um usuário conectado pode acessar os dados de estado das páginas fixadas de outros usuários por meio do hash do pageId. Essa vulnerabilidade permite o acesso não autorizado a informações confidenciais. **Recomendações** Para versões anteriores à 5.1.4, atualize para a versão 5.1.4 para resolver o problema. Como solução alternativa temporária, considere restringir o acesso ao `PagestateController` para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** OroCalendarBundle versions prior to 5.0.4 OroCalendarBundle versions prior to 5.1.1 **Description** The issue allows back-office users to access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This is related to the Calendar feature and functionality in Oro applications. **Recommendations** For OroCalendarBundle versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. For OroCalendarBundle versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 **Description** The issue allows detailed order totals information to be received by Order ID, and detailed checkout totals information may be received by Checkout ID. **Recommendations** For versions prior to 5.0.11, update to version 5.0.11 or later. For versions prior to 5.1.1, update to version 5.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 **Description** The issue allows back-office users to access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. **Recommendations** For versions prior to 5.0.11, update to version 5.0.11 or later to resolve the issue. For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Customer and Customer User menus until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** OroPlatform versions prior to 5.1.1 **Description** The issue affects the OroPlatform package, which is used for system and user calendar management. It allows back-office users to access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 to resolve the issue. As a temporary workaround, consider restricting access to calendar events to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OroCommerce versions 4.1.0 through 4.1.13 OroCommerce versions 4.2.0 through 4.2.10 OroCommerce versions 5.0.0 through 5.0.10 OroCommerce versions 5.1.0 **Description** The issue allows a JS payload added to the product name to be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker can edit a product in the admin area and force a user to add this product to the Shopping List and click add a note for it. **Recommendations** For versions 4.1.0 through 4.1.13, update to version 5.0.11 or later. For versions 4.2.0 through 4.2.10, update to version 5.0.11 or later. For versions 5.0.0 through 5.0.10, update to version 5.0.11. For version 5.1.0, update to version 5.1.1.