OroCRMCallBundle has incorrect call view page visibility
Description
In OroCalendarBundle, back-office users can view any call event, bypassing ACL checks due to missing security annotations; fixed in 5.0.4 and 5.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OroCalendarBundle, back-office users can view any call event, bypassing ACL checks due to missing security annotations; fixed in 5.0.4 and 5.1.1.
Vulnerability
CVE-2023-32063 is an access control vulnerability in the OroCalendarBundle component of OroCRM. The root cause is that the viewAction method in the call controller was missing the @AclAncestor("oro_call_view") annotation, which is required to enforce ACL permissions [2][3]. Without this annotation, the application fails to check whether the authenticated user has the necessary privileges to view a specific call event, allowing unauthorized access.
Exploitation
A back-office user with any level of authenticated access can exploit this flaw by directly navigating to a call event's view URL (e.g., /call/view/{id}). No special privileges or prior knowledge are needed beyond a valid session; the attack is simple to execute because the ACL check is entirely absent. The security advisory notes that the attack vector is network-based, requires low complexity, and low privileges, with no user interaction required [4].
Impact
An attacker who successfully exploits this vulnerability can view the details (subject, participants, notes) of any call event in the system, regardless of their assigned permissions. This leads to unauthorized disclosure of potentially sensitive information, violating confidentiality. Integrity and availability are not directly affected. The vulnerability is rated with a CVSS v3.1 base score of 4.3 (Medium), reflecting the limited but real confidentiality impact [1].
Mitigation
The fix was implemented by adding the @AclAncestor("oro_call_view") annotation to the viewAction method in commits [2] and [3]. Users should upgrade to OroCRM version 5.0.4 or 5.1.1, where the patch is included [1]. There are no known workarounds, as the vulnerability stems from a missing code-level security check.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oro/crm-call-bundlePackagist | >= 4.2.0, <= 4.2.5 | — |
oro/crm-call-bundlePackagist | >= 5.0.0, < 5.0.4 | 5.0.4 |
oro/crm-call-bundlePackagist | >= 5.1.0, < 5.1.1 | 5.1.1 |
Affected products
2- oroinc/crmv5Range: >= 4.2.0, <= 4.2.5
Patches
29a41dff459bbCRM-9408: Add tests for calls controller (#35651)
2 files changed · +39 −0
Controller/CallController.php+1 −0 modified@@ -107,6 +107,7 @@ public function indexAction() /** * @Route("/view/{id}", name="oro_call_view") * @Template + * @AclAncestor("oro_call_view") */ public function viewAction(Call $entity) {
Tests/Behat/Features/call_view_by_direct_link.feature+38 −0 added@@ -0,0 +1,38 @@ +@ticket-CRM-9408 +@fixture-OroCallBundle:CallFixture.yml + +Feature: Call view by direct link + In order to keep system ACL protected + As an Administrator + I should be sure that access to the calls by direct links are ACL protected + + Scenario: Feature Background + Given sessions active: + | Admin |first_session | + | Admin1 |second_session | + + Scenario: View call with default permissions + Given I proceed as the Admin + And I login as administrator + When I go to Activities/ Calls + Then I should see following grid: + | Subject | + | Test Call | + When I click view "Test Call" in grid + And I should see "Test Call" + + Scenario: Edit view permissions for Call entity + Given I proceed as the Admin1 + And I login as administrator + And I go to System / User Management / Roles + And I filter Label as is equal to "Administrator" + When I click edit "Administrator" in grid + And select following permissions: + | Call | View:None | + And save and close form + Then I should see "Role saved" flash message + + Scenario: View call by direct link without view permission + Given I proceed as the Admin + When I reload the page + Then I should see "403. Forbidden You don't have permission to access this page."
456b1dda7762CRM-9408: Add tests for calls controller (#35652)
2 files changed · +39 −0
Controller/CallController.php+1 −0 modified@@ -107,6 +107,7 @@ public function indexAction() /** * @Route("/view/{id}", name="oro_call_view") * @Template + * @AclAncestor("oro_call_view") */ public function viewAction(Call $entity) {
Tests/Behat/Features/call_view_by_direct_link.feature+38 −0 added@@ -0,0 +1,38 @@ +@ticket-CRM-9408 +@fixture-OroCallBundle:CallFixture.yml + +Feature: Call view by direct link + In order to keep system ACL protected + As an Administrator + I should be sure that access to the calls by direct links are ACL protected + + Scenario: Feature Background + Given sessions active: + | Admin |first_session | + | Admin1 |second_session | + + Scenario: View call with default permissions + Given I proceed as the Admin + And I login as administrator + When I go to Activities/ Calls + Then I should see following grid: + | Subject | + | Test Call | + When I click view "Test Call" in grid + And I should see "Test Call" + + Scenario: Edit view permissions for Call entity + Given I proceed as the Admin1 + And I login as administrator + And I go to System / User Management / Roles + And I filter Label as is equal to "Administrator" + When I click edit "Administrator" in grid + And select following permissions: + | Call | View:None | + And save and close form + Then I should see "Role saved" flash message + + Scenario: View call by direct link without view permission + Given I proceed as the Admin + When I reload the page + Then I should see "403. Forbidden You don't have permission to access this page."
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-897w-jv7j-6r7gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32063ghsaADVISORY
- github.com/oroinc/OroCRMCallBundle/commit/456b1dda7762abf4ff59eafffaa70ab7f09d1c85ghsax_refsource_MISCWEB
- github.com/oroinc/OroCRMCallBundle/commit/9a41dff459bb4aff864175ca883d553ac0954950ghsax_refsource_MISCWEB
- github.com/oroinc/crm/security/advisories/GHSA-897w-jv7j-6r7gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.