{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.2.0" }, { "last_affected": "4.2.6" } ] }, "events": [ { "introduced": "02b399094bdabe39589b795f73e7e395267d91ce" }, { "last_affected": "5c4144abf43ed4c502164a839da797252772fd1d" } ], "repo": "https://github.com/oroinc/orocalendarbundle", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "5.0.0" }, { "last_affected": "5.0.6" } ] }, "events": [ { "introduced": "3ab51e27e43b018eed1ae30a475e5932ee164cf2" }, { "last_affected": "057d7376ddbe307b312d9520aaf528d5fcafdbcb" } ], "repo": "https://github.com/oroinc/orocalendarbundle", "type": "GIT" }, { "database_specific": { "versions": [ { "introduced": "5.1.0" }, { "fixed": "5.1.1" } ] }, "events": [ { "introduced": "f125afd7daabecbb997439f0aaf242299f505a24" }, { "fixed": "8d72eadda1f92c6cd036c485dbbc58ab31916b5b" } ], "repo": "https://github.com/oroinc/orocalendarbundle", "type": "GIT" } ] }, { "ranges": [ { "database_specific": { "versions": [ { "introduced": "4.2.0" }, { "last_affected": "4.2.6" }, { "introduced": "5.0.0" }, { "fixed": "5.0.7" }, { "introduced": "5.1.0" }, { "fixed": "5.1.1" } ] }, "events": [ { "introduced": "02bffd6c9c5cef5a16916b4c96cd4fab109fb999" }, { "last_affected": "c25da4040cf8c61de516fb2dd140140ab5998746" }, { "introduced": "a98b3aa020dae96d8191a0cdfa94ad009ad41a3e" }, { "fixed": "1d1e5f67803da3d82a56e5a910f9c887d1946e77" }, { "introduced": "b7bd07777fe1952909ce37b1de3dd221d562ab97" }, { "fixed": "391060385315ab15dafacd21282842de207c5754" } ], "repo": "https://github.com/oroinc/platform", "type": "GIT" } ] } ], "aliases": [ "GHSA-x2xm-p6vq-482g" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-284" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32062.json" }, "details": "OroPlatform is a package that assists system and user calendar management. Back-office users can access information from any system calendar event, bypassing ACL security restrictions due to insufficient security checks. This vulnerability has been patched in version 5.1.1.", "id": "CVE-2023-32062", "modified": "2026-04-01T23:09:20.953005943Z", "published": "2023-11-27T20:58:35.357Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32062.json" }, { "type": "ADVISORY", "url": "https://github.com/oroinc/crm/security/advisories/GHSA-x2xm-p6vq-482g" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32062" }, { "type": "FIX", "url": "https://github.com/oroinc/OroCalendarBundle/commit/460a8ffb63b10c76f2fa26d53512164851c4909b" }, { "type": "FIX", "url": "https://github.com/oroinc/OroCalendarBundle/commit/5f4734aa02088191c1c1d90ac0909f48610fe531" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "OroCalendarBundle has incorrect system calendar events visibility" }