CVE-2023-48296

Name of the Vulnerable Software and Affected Versions OroPlatform versions prior to 5.1.4

Description The issue concerns OroPlatform, a PHP Business Application Platform (BAP), where navigation history, most viewed, and favorite navigation items are returned to a storefront user in a JSON navigation response if the ID of the storefront user matches the ID of a back-office user.

Recommendations For versions prior to 5.1.4, update to version 5.1.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive navigation items until the update is applied.