CVE-2023-32065: OroCommerce get-totals-for-checkout API endpoint returns unwanted data
5.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.41068%
CWE
Published
11/27/2023
Updated
11/28/2023
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| oro/commerce | composer | >= 4.2.0, <= 4.2.10 | |
| oro/commerce | composer | >= 5.0.0, < 5.0.11 | 5.0.11 |
| oro/commerce | composer | >= 5.1.0, < 5.1.1 | 5.1.1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from improper access control (CWE-284) in an API endpoint. The pattern suggests a missing authorization check in the controller action responsible for handling checkout totals requests. The endpoint name 'get-totals-for-checkout' maps to a standard Symfony controller action naming convention (getTotalsForCheckoutAction). The vulnerability allows data exposure through Checkout ID enumeration, indicating the handler didn't verify user permissions before returning sensitive checkout totals data. The confidence is high as this pattern matches the described vulnerability and typical Symfony architecture, though without direct code access we rely on standard implementation patterns.