OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
Description
Back-office users in OroCommerce can bypass ACL to access Customer and Customer User menu information; patched in versions 5.0.11 and 5.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Back-office users in OroCommerce can bypass ACL to access Customer and Customer User menu information; patched in versions 5.0.11 and 5.1.1.
CVE-2023-32064 is an access control vulnerability in OroCommerce, a B2B e-commerce platform. The issue stems from insufficient security checks for Customer and Customer User menus, allowing back-office users to access these menus even when they should be restricted by ACL [1].
An attacker with back-office user privileges can exploit this by navigating to the Customer or Customer User menus, bypassing the intended access controls. No additional authentication or network position is required beyond being a legitimate back-office user [2].
Successful exploitation leads to unauthorized access to customer information, including potentially sensitive data from the Customer and Customer User menus. This violates confidentiality and can lead to data leakage [1].
The issue has been patched in OroCommerce versions 5.0.11 and 5.1.1. Users are advised to upgrade to these or later versions to remediate the vulnerability [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oro/customer-portalPackagist | >= 4.2.0, <= 4.2.8 | — |
oro/customer-portalPackagist | >= 5.0.0, < 5.0.11 | 5.0.11 |
oro/customer-portalPackagist | >= 5.1.0, < 5.1.1 | 5.1.1 |
Affected products
2- oroinc/orocommercev5Range: >= 4.2.0, <= 4.2.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8gwj-68w6-7v6cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32064ghsaADVISORY
- github.com/oroinc/orocommerce/security/advisories/GHSA-8gwj-68w6-7v6cghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.