VYPR
← All advisories
Moderate severityNVD Advisory· Published Nov 27, 2023· Updated Aug 2, 2024

OroCalendarBundle has incorrect system calendar events visibility

CVE-2023-32062

Description

OroPlatform's calendar management fails to enforce ACL checks, allowing back-office users to view any system calendar event; patched in version 5.1.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OroPlatform's calendar management fails to enforce ACL checks, allowing back-office users to view any system calendar event; patched in version 5.1.1.

Vulnerability

Overview

CVE-2023-32062 is an access control vulnerability in OroPlatform's calendar management component (OroCalendarBundle). The root cause is insufficient security checks in the checkPermissions method, which fails to verify whether a back-office user has the required permissions to view system calendar events. This allows authenticated users to bypass ACL restrictions and access any system calendar event [1][2][3].

Exploitation

An attacker with back-office user credentials can exploit this vulnerability by directly navigating to system calendar event URLs or through the calendar interface. No special network position is required; only a valid back-office session is needed. The vulnerability is triggered when the application does not properly enforce permission checks for viewing system calendar events [1][4].

Impact

Successful exploitation allows an attacker to read any system calendar event, potentially exposing sensitive scheduling information. This impacts confidentiality, as unauthorized users can access data that should be restricted by ACL policies [1][4].

Mitigation

The vulnerability has been patched in OroPlatform version 5.1.1. The fix adds explicit permission checks for both public and system calendar management, ensuring that only authorized users can view system calendar events [2][3][4]. Users are advised to upgrade to the patched version immediately.

References
  1. NVD - CVE-2023-32062
  2. BAP-22046: Fix system calendar events (#35687) · oroinc/OroCalendarBundle@460a8ff
  3. BAP-22046: Fix system calendar events (#35686) · oroinc/OroCalendarBundle@5f4734a
  4. Incorrect system calendar events visibility

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
oro/calendar-bundlePackagist
>= 4.2.0, <= 4.2.6
oro/calendar-bundlePackagist
>= 5.0.0, < 5.0.75.0.7
oro/calendar-bundlePackagist
>= 5.1.0, < 5.1.15.1.1

Affected products

2

Patches

2
460a8ffb63b1

BAP-22046: Fix system calendar events (#35687)

https://github.com/oroinc/OroCalendarBundleYurii MuratovJun 1, 2023via ghsa
commit
4 files changed · +62 0
  • Controller/SystemCalendarEventController.php+7 0 modified
    @@ -200,6 +200,13 @@ private function checkPermissions(SystemCalendar $systemCalendar = null)
 
         $this->checkPermissionByConfig($systemCalendar);
 
+        $isGranted = $systemCalendar->isPublic()
+            ? $this->isGranted('oro_public_calendar_management')
+            : $this->isGranted('oro_system_calendar_management');
+        if (!$isGranted) {
+            throw new AccessDeniedException();
+        }
+
         if (!$systemCalendar->isPublic() && !$this->isGranted('VIEW', $systemCalendar)) {
             // an user must have permissions to view system calendar
             throw new AccessDeniedException();
  • Tests/Behat/behat.yml+1 0 modified
    @@ -9,6 +9,7 @@ oro_behat_extension:
         - Oro\Bundle\FormBundle\Tests\Behat\Context\FormContext
         - Oro\Bundle\TestFrameworkBundle\Tests\Behat\Context\OroMainContext
         - Oro\Bundle\SearchBundle\Tests\Behat\Context\SearchContext
+        - Oro\Bundle\SecurityBundle\Tests\Behat\Context\ACLContext
       paths:
       - '@OroCalendarBundle/Tests/Behat/Features'
   pages:
  • Tests/Behat/Features/Fixtures/SystemCalendarEvent.yml+15 0 added
    @@ -0,0 +1,15 @@
+Oro\Bundle\CalendarBundle\Entity\SystemCalendar:
+    systemCalendar:
+        name: 'System Calendar'
+        public: true
+        createdAt: '<dateTime()>'
+        updatedAt: '<dateTime()>'
+        organization: '@organization'
+
+Oro\Bundle\CalendarBundle\Entity\CalendarEvent:
+    calendarEvent:
+        title: System Calendar Event
+        systemCalendar: '@systemCalendar'
+        start: <dateTimeBetween('+1 day', '+5 days')>
+        end: <dateTimeBetween($start, '+10 days')>
+        allDay: false
  • Tests/Behat/Features/system_calendar_event_by_direct_link.feature+39 0 added
    @@ -0,0 +1,39 @@
+@ticket-CRM-9408
+@fixture-OroCalendarBundle:SystemCalendarEvent.yml
+@fixture-OroUserBundle:manager.yml
+
+Feature: System calendar event by direct link
+In order to keep system ACL protected
+As an Administrator
+I should be sure that access to the system calendar event by direct links are ACL protected
+
+  Scenario: Feature Background
+    Given sessions active:
+      | Admin  |first_session  |
+      | Admin1 |second_session |
+
+  Scenario: View calendar event with default permissions
+    Given I proceed as the Admin
+    Given I login as administrator
+    When I go to System / System Calendars
+    And I click view "System Calendar" in grid
+    Then I should see "System calendars"
+    And I should see "System Calendar"
+    When I click view "System Calendar Event" in grid
+    Then I should see "System Calendar Event"
+
+
+  Scenario: Edit manage system calendar capability
+    Given I proceed as the Admin1
+    And I login as administrator
+    And I go to System / User Management / Roles
+    And I filter Label as is equal to "Administrator"
+    When I click edit "Administrator" in grid
+    And I uncheck "Manage System Calendars (And Their Events)" entity permission
+    And save and close form
+    Then I should see "Role saved" flash message
+
+  Scenario: View calendar event by direct link without permissions
+    Given I proceed as the Admin
+    When I reload the page
+    Then I should see "403. Forbidden You don't have permission to access this page."
5f4734aa0208

BAP-22046: Fix system calendar events (#35686)

https://github.com/oroinc/OroCalendarBundleYurii MuratovJun 1, 2023via ghsa
commit
4 files changed · +62 0
  • Controller/SystemCalendarEventController.php+7 0 modified
    @@ -200,6 +200,13 @@ private function checkPermissions(SystemCalendar $systemCalendar = null)
 
         $this->checkPermissionByConfig($systemCalendar);
 
+        $isGranted = $systemCalendar->isPublic()
+            ? $this->isGranted('oro_public_calendar_management')
+            : $this->isGranted('oro_system_calendar_management');
+        if (!$isGranted) {
+            throw new AccessDeniedException();
+        }
+
         if (!$systemCalendar->isPublic() && !$this->isGranted('VIEW', $systemCalendar)) {
             // an user must have permissions to view system calendar
             throw new AccessDeniedException();
  • Tests/Behat/behat.yml+1 0 modified
    @@ -9,6 +9,7 @@ oro_behat_extension:
         - Oro\Bundle\FormBundle\Tests\Behat\Context\FormContext
         - Oro\Bundle\TestFrameworkBundle\Tests\Behat\Context\OroMainContext
         - Oro\Bundle\SearchBundle\Tests\Behat\Context\SearchContext
+        - Oro\Bundle\SecurityBundle\Tests\Behat\Context\ACLContext
       paths:
       - '@OroCalendarBundle/Tests/Behat/Features'
   pages:
  • Tests/Behat/Features/Fixtures/SystemCalendarEvent.yml+15 0 added
    @@ -0,0 +1,15 @@
+Oro\Bundle\CalendarBundle\Entity\SystemCalendar:
+    systemCalendar:
+        name: 'System Calendar'
+        public: true
+        createdAt: '<dateTime()>'
+        updatedAt: '<dateTime()>'
+        organization: '@organization'
+
+Oro\Bundle\CalendarBundle\Entity\CalendarEvent:
+    calendarEvent:
+        title: System Calendar Event
+        systemCalendar: '@systemCalendar'
+        start: <dateTimeBetween('+1 day', '+5 days')>
+        end: <dateTimeBetween($start, '+10 days')>
+        allDay: false
  • Tests/Behat/Features/system_calendar_event_by_direct_link.feature+39 0 added
    @@ -0,0 +1,39 @@
+@ticket-CRM-9408
+@fixture-OroCalendarBundle:SystemCalendarEvent.yml
+@fixture-OroUserBundle:manager.yml
+
+Feature: System calendar event by direct link
+In order to keep system ACL protected
+As an Administrator
+I should be sure that access to the system calendar event by direct links are ACL protected
+
+  Scenario: Feature Background
+    Given sessions active:
+      | Admin  |first_session  |
+      | Admin1 |second_session |
+
+  Scenario: View calendar event with default permissions
+    Given I proceed as the Admin
+    Given I login as administrator
+    When I go to System / System Calendars
+    And I click view "System Calendar" in grid
+    Then I should see "System calendars"
+    And I should see "System Calendar"
+    When I click view "System Calendar Event" in grid
+    Then I should see "System Calendar Event"
+
+
+  Scenario: Edit manage system calendar capability
+    Given I proceed as the Admin1
+    And I login as administrator
+    And I go to System / User Management / Roles
+    And I filter Label as is equal to "Administrator"
+    When I click edit "Administrator" in grid
+    And I uncheck "Manage System Calendars (And Their Events)" entity permission
+    And save and close form
+    Then I should see "Role saved" flash message
+
+  Scenario: View calendar event by direct link without permissions
+    Given I proceed as the Admin
+    When I reload the page
+    Then I should see "403. Forbidden You don't have permission to access this page."

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.