OroCommerce get-totals-for-checkout API endpoint returns unwanted data
Description
OroCommerce allows unauthorized retrieval of detailed order totals via order ID due to insufficient access control.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OroCommerce allows unauthorized retrieval of detailed order totals via order ID due to insufficient access control.
Vulnerability
OroCommerce, an open-source B2B e-commerce application, contains an information disclosure vulnerability where detailed order totals can be retrieved by simply providing an order ID. The issue stems from insufficient access controls on the order totals endpoint, allowing any authenticated or possibly unauthenticated user to query order data without proper ownership verification [1][2].
Exploitation
An attacker can exploit this vulnerability by sending a request to the affected endpoint with a known or guessed order ID. The attack is remotely exploitable, requires low complexity, and no special privileges or user interaction. The attacker only needs network access to the OroCommerce instance [2].
Impact
Successful exploitation allows an attacker to view detailed order totals for any order, potentially exposing sensitive business transaction data. This could lead to competitive intelligence gathering or privacy violations, depending on the nature of the orders [1][2].
Mitigation
The vulnerability has been patched in OroCommerce versions 5.0.11 and 5.1.1. Users are strongly advised to upgrade to these versions or later. No workarounds have been officially provided [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oro/commercePackagist | >= 4.2.0, <= 4.2.10 | — |
oro/commercePackagist | >= 5.0.0, < 5.0.11 | 5.0.11 |
oro/commercePackagist | >= 5.1.0, < 5.1.1 | 5.1.1 |
Affected products
2- oroinc/orocommercev5Range: >= 4.2.0, <= 4.2.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-88g2-xgh9-4ph2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32065ghsaADVISORY
- github.com/oroinc/orocommerce/security/advisories/GHSA-88g2-xgh9-4ph2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.