Moderate severityNVD Advisory· Published Mar 25, 2024· Updated Aug 2, 2024
OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
CVE-2023-48296
Description
OroPlatform 5.1.4 fixes an information disclosure vulnerability where a storefront user can access navigation history of a back-office user with the same user ID.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OroPlatform 5.1.4 fixes an information disclosure vulnerability where a storefront user can access navigation history of a back-office user with the same user ID.
Vulnerability
Overview
The vulnerability resides in OroPlatform's navigation component, which returns JSON responses containing navigation history, most viewed items, and favorite navigation items to the storefront user. The flaw occurs when the ID of a storefront user matches the ID of a back-office user [1]. Under this condition, the server does not properly distinguish between the two user contexts, allowing the storefront user to receive data intended only for the back-office user [3].
Exploitation
Details
An attacker who is a registered storefront user can exploit this by obtaining or guessing the ID of a back-office user. The attack does not require any special privileges beyond a valid storefront account, and the attack complexity is low because the server simply responds with the full navigation data set whenever the IDs match [3]. The exploitation is remote, as the attacker only needs to make a web request to the vulnerable endpoint.
Impact
Assessment
Successful exploitation results in unauthorized access to sensitive navigation data, including history and most viewed items, of a back-office user. This constitutes a confidentiality breach, as the storefront user can infer business operations or internal workflows from the back-office user's browsing patterns. No integrity or availability impacts are present [3].
Mitigation
Status
OroPlatform version 5.1.4 contains the fix for this vulnerability. Users are strongly advised to upgrade to the latest version. No workarounds have been documented, but the commit referenced in [2] modifies the product bundle to block multi-file attributes on certain pages, which may relate to the fix's broader scope.
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
oro/customer-portalPackagist | >= 4.1.0, <= 4.1.13 | — |
oro/customer-portalPackagist | >= 4.2.0, <= 4.2.10 | — |
oro/customer-portalPackagist | >= 5.0.0, <= 5.0.11 | — |
oro/customer-portalPackagist | >= 5.1.0, < 5.1.4 | 5.1.4 |
Affected products
2- oroinc/orocommercev5Range: >=4.1.0, <=4.1.13
Patches
141c526498012BB-22832: Multifile attribute is shown on product visibility page in back-office - 5.1 (#36428)
8 files changed · +452 −27
src/Oro/Bundle/ProductBundle/EventListener/AttributeFormViewListener.php+1 −10 modified@@ -2,7 +2,6 @@ namespace Oro\Bundle\ProductBundle\EventListener; -use Oro\Bundle\AttachmentBundle\Helper\FieldConfigHelper; use Oro\Bundle\CMSBundle\DBAL\Types\WYSIWYGType; use Oro\Bundle\EntityConfigBundle\Attribute\Entity\AttributeGroup; use Oro\Bundle\EntityConfigBundle\Entity\FieldConfigModel; @@ -198,14 +197,6 @@ protected function renderAttributeViewData(Environment $twig, $entity, FieldConf protected function isSeparateGroup(?string $type): bool { - return in_array( - (string)$type, - [ - WYSIWYGType::TYPE, - FieldConfigHelper::MULTI_FILE_TYPE, - FieldConfigHelper::MULTI_IMAGE_TYPE - ], - true - ); + return in_array((string)$type, [WYSIWYGType::TYPE], true); } }
src/Oro/Bundle/ProductBundle/EventListener/ProductMultiFileBlockListener.php+25 −0 added@@ -0,0 +1,25 @@ +<?php + +namespace Oro\Bundle\ProductBundle\EventListener; + +use Oro\Bundle\UIBundle\Event\BeforeFormRenderEvent; + +/** + * Stops adding additional fields or attributes to forms if they are on the specified pages + */ +class ProductMultiFileBlockListener +{ + private array $pages = []; + + public function setPages(array $pages): void + { + $this->pages = $pages; + } + + public function onBeforeFormRender(BeforeFormRenderEvent $event): void + { + if (in_array($event->getPageId(), $this->pages)) { + $event->stopPropagation(); + } + } +}
src/Oro/Bundle/ProductBundle/Resources/config/services.yml+9 −0 modified@@ -1098,6 +1098,15 @@ services: - { name: kernel.event_listener, event: oro_ui.scroll_data.before.product-create-step-two, method: onEdit, priority: -255 } - { name: kernel.event_listener, event: oro_ui.scroll_data.before.product-view, method: onViewList, priority: -255 } + oro_product.event_listener.product_multi_file_block_listener: + class: Oro\Bundle\ProductBundle\EventListener\ProductMultiFileBlockListener + arguments: + - '@oro_entity_config.provider.entity' + calls: + - [setPages, [['product-visibility-edit', 'product-create-step-one']]] + tags: + - { name: kernel.event_listener, event: entity_form.render.before, method: onBeforeFormRender, priority: -250 } + oro_product.provider.product_variant_availability_provider: class: 'Oro\Bundle\ProductBundle\Provider\ProductVariantAvailabilityProvider' arguments:
src/Oro/Bundle/ProductBundle/Tests/Behat/behat.yml+12 −2 modified@@ -1531,12 +1531,22 @@ oro_behat_extension: MultipleFiles Field: selector: type: xpath - locator: '//h4[contains(., "MultipleFiles")]/parent::*' + locator: '//div[contains(@id,"MultipleFiles") and contains(@class,"file-collection")]/parent::*' + + MultipleFiles Backoffice Field: + selector: + type: xpath + locator: '//div[contains(@id,"grid-MultipleFiles")]/parent::*' MultipleImages Field: selector: type: xpath - locator: '//h4[contains(., "MultipleImages")]/parent::*' + locator: '//div[contains(@id,"MultipleImages") and contains(@class,"file-collection")]/parent::*' + + MultipleImages Backoffice Field: + selector: + type: xpath + locator: '//div[contains(@id,"grid-MultipleImages")]/parent::*' Drawing Storefront Field: selector:
src/Oro/Bundle/ProductBundle/Tests/Behat/Features/other/check_that_tabs_for_multiple_file_and_multiple_images_fields_are_displayed_correctly_on_product_pages.feature+348 −0 added@@ -0,0 +1,348 @@ +@regression +@ticket-BB-22832 + +Feature: Check that tabs for multiple file and multiple images fields are displayed correctly on product pages + As an administrator, I want to make sure that: + - entity fields are not displayed on the first step of product creation page and not on the product + visibility page. + - entity entity fields are displayed on product second step creation page, product edit page, product view page. + - product attributes fields are not displayed on the first step of product creation page, second step of product + creation page, product edit page, product view page, product visibility page if attributes not added to family. + - product attributes fields are not displayed on the first step of product creation page, product visibility + page if attributes added to family. + - product attributes are displayed on product second step creation page, product edit page, product view page + if attributes added to family. + + Scenario: Authenticate + Given I login as administrator + And go to Products / Product Attributes + + Scenario Outline: Create Multiple Files attributes + Given I click "Create Attribute" + When I fill form with: + | Field name | <Name> | + | Type | Multiple Files | + And click "Continue" + And fill form with: + | Label | <Name> | + | Stored Externally | No | + | File Size (MB) | 10 | + | Use DAM | <Use DAM> | + | File Applications | [default] | + And save and close form + Then I should see "Attribute was successfully saved" flash message + Examples: + | Name | Use DAM | + | multiple_files_attribute | No | + | multiple_files_dam_attribute | Yes | + + Scenario Outline: Create Multiple Images attribute + Given I click "Create Attribute" + When I fill form with: + | Field name | <Name> | + | Type | Multiple Images | + And click "Continue" + And fill form with: + | Label | <Name> | + | Stored Externally | No | + | File Size (MB) | 10 | + | Thumbnail Width | 1024 | + | Thumbnail Height | 1024 | + | Use DAM | <Use DAM> | + | File Applications | [default] | + And save and close form + Then I should see "Attribute was successfully saved" flash message + Examples: + | Name | Use DAM | + | multiple_images_attribute | No | + | multiple_images_dam_attribute | Yes | + + Scenario: Create fields + Given I go to System/ Entities/ Entity Management + And I filter "Name" as is equal to "Product" + And I click view Product in grid + + Scenario Outline: Create Multiple Files fields + Given I click "Create field" + When I fill form with: + | Field name | <Name> | + | Storage type | Table column | + | Type | Multiple Files | + And click "Continue" + And fill form with: + | Label | <Name> | + | Stored Externally | No | + | File Size (MB) | 10 | + | Use DAM | <Use DAM> | + | File Applications | [default] | + And save and close form + Then I should see "Field saved" flash message + Examples: + | Name | Use DAM | + | multiple_files_field | No | + | multiple_files_dam_field | Yes | + + Scenario Outline: Create Multiple Images fields + Given I click "Create field" + When I fill form with: + | Field name | <Name> | + | Type | Multiple Images | + And click "Continue" + And fill form with: + | Label | <Name> | + | Stored Externally | No | + | File Size (MB) | 10 | + | Thumbnail Width | 1024 | + | Thumbnail Height | 1024 | + | Use DAM | <Use DAM> | + | File Applications | [default] | + And save and close form + Then I should see "Field saved" flash message + Examples: + | Name | Use DAM | + | multiple_images_field | No | + | multiple_images_dam_field | Yes | + + Scenario: Update schema + Given I click update schema + Then I should see Schema updated flash message + + Scenario: Check for fields and missing attributes on product creation pages + Given I go to Products/ Products + When I click "Create Product" + Then I should see "General" + # At the first step of creating a product, we should not see additional fields and attributes. + # Check product attribute on first product create page. + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on first product create page. + And should not see "multiple_files_field" + And should not see "multiple_files_dam_field" + And should not see "multiple_images_field" + And should not see "multiple_images_dam_field" + When I fill "ProductForm Step One" with: + | Type | Simple | + | Product Family | Default | + And click "Continue" + # Attributes is not displayed because they are not added to the product family. + # Check product attribute on second product create page. + Then I should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on second product create page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + When I fill "ProductForm" with: + | Sku | ORO_PRODUCT_1 | + | Name | ORO_PRODUCT_1 | + And save and close form + Then I should see "Product has been saved" flash message + + Scenario: Check for fields and missing attributes on product edit page + Given I click "Edit" + # Check product attribute on product edit page + Then I should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product edit page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + When I save and close form + Then I should see "Product has been saved" flash message + + Scenario: Check for fields and missing attributes on product view page + # Check product attribute on product view page + Given I should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product view page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + + Scenario: Check for fields and missing attributes on product visibility page + Given I click "More actions" + When I click "Manage Visibility" + # Check product attribute on product visibility page + Then I should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product visibility page + And should not see "multiple_files_field" + And should not see "multiple_files_dam_field" + And should not see "multiple_images_field" + And should not see "multiple_images_dam_field" + + Scenario: Update product family with new attributes + When I go to Products/ Product Families + And I click "Edit" on row "default_family" in grid + And click "Add" + And fill "Attributes Group Form" with: + | Attribute Groups Label0 | Multiple Fields Attributes | + | Attribute Groups Visible0 | true | + | Attribute Groups Attributes0 | [multiple_files_attribute, multiple_files_dam_attribute, multiple_images_attribute, multiple_images_dam_attribute] | + And save and close form + Then I should see "Successfully updated" flash message + + Scenario: Check for fields and attributes on product creation pages + Given I go to Products/ Products + When I click "Create Product" + # Check product attribute on first product create page + Then I should not see "Multiple Fields Attributes" + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on first product create page + And should not see "multiple_files_field" + And should not see "multiple_files_dam_field" + And should not see "multiple_images_field" + And should not see "multiple_images_dam_field" + And fill "ProductForm Step One" with: + | Type | Simple | + | Product Family | Default | + When I click "Continue" + # Check product attribute on second product create page + Then I should see "Multiple Fields Attributes" + # Check if the attributes are displayed (attributes fields do not have names except for family tab) + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on second product create page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + When I fill "ProductForm" with: + | Sku | ORO_PRODUCT_2 | + | Name | ORO_PRODUCT_2 | + And save and close form + Then I should see "Product has been saved" flash message + + Scenario: Check for fields and attributes on product edit page + Given I click "Edit" + # Check product attribute on product edit page + Then I should see "Multiple Fields Attributes" + # Check if the attributes are displayed (attributes fields do not have names except for family tab) + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product edit page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + When I save and close form + Then I should see "Product has been saved" flash message + + Scenario: Check for fields and attributes on product view page + # Check product attribute on product view page + Given I should see "Multiple Fields Attributes" + # Check if the attributes are displayed (attributes fields do not have names except for family tab) + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product view page + And should see "multiple_files_field" + And should see "multiple_files_dam_field" + And should see "multiple_images_field" + And should see "multiple_images_dam_field" + + Scenario: Check for fields and attributes on product visibility page + Given I click "More actions" + When I click "Manage Visibility" + # Check product attribute on product visibility page + Then I should not see "Multiple Fields Attributes" + And should not see "multiple_files_attribute" + And should not see "multiple_files_dam_attribute" + And should not see "multiple_images_attribute" + And should not see "multiple_images_dam_attribute" + # Check extend field on product visibility page + And should not see "multiple_files_field" + And should not see "multiple_files_dam_field" + And should not see "multiple_images_field" + And should not see "multiple_images_dam_field" + + Scenario: Create product and check fields and attributes + Given I go to Products/ Products + When I click "Create Product" + And fill "ProductForm Step One" with: + | Type | Simple | + | Product Family | Default | + And click "Continue" + And fill "ProductForm" with: + | Sku | ORO_PRODUCT_30 | + | Name | ORO_PRODUCT_30 | + | Multiple Files Attribute | example.pdf | + | Multiple Images Attribute | 300x300.png | + | Multiple Files Field | example2.pdf | + | Multiple Images Field | blue-dot.jpg | + + And click "Multiple Files DAM Attribute" + And fill "Digital Asset Dialog Form" with: + | File | example.pdf | + | Title | Multiple Files DAM Attribute | + And click "Upload" + And click on example.pdf in grid + + And click "Multiple Images DAM Attribute" + And fill "Digital Asset Dialog Form" with: + | File | 300x300.png | + | Title | Multiple Images DAM Attribute | + And click "Upload" + And click on 300x300.png in grid + + And click "Multiple Files DAM Field" + And fill "Digital Asset Dialog Form" with: + | File | example2.pdf | + | Title | Multiple Files DAM Field | + And click "Upload" + And click on example2.pdf in grid + + And click "Multiple Images DAM Field" + And fill "Digital Asset Dialog Form" with: + | File | blue-dot.jpg | + | Title | Multiple Images DAM Field | + And click "Upload" + And click on blue-dot.jpg in grid + + And save and close form + Then I should see "Product has been saved" flash message + And should see following "Multiple Files Attribute Grid" grid: + | File Name | + | example.pdf | + And should see following "Multiple Images Attribute Grid" grid: + | Name | + | 300x300.png | + And should see following "Multiple Files Field Grid" grid: + | File Name | + | example2.pdf | + And should see following "Multiple Images Field Grid" grid: + | Name | + | blue-dot.jpg | + And should see following "Multiple Files DAM Attribute Grid" grid: + | File Name | + | example.pdf | + And should see following "Multiple Images DAM Attribute Grid" grid: + | Name | + | 300x300.png | + And should see following "Multiple Files DAM Field Grid" grid: + | File Name | + | example2.pdf | + And should see following "Multiple Images DAM Field Grid" grid: + | Name | + | blue-dot.jpg |
src/Oro/Bundle/ProductBundle/Tests/Behat/Features/product-attributes/product_attributes_order.feature+2 −2 modified@@ -87,7 +87,7 @@ Feature: Product attributes order And I save and close form Then I should see "Product has been saved" flash message And I should see "Drawing Backoffice Field" goes after "Document Backoffice Field" - And I should see "MultipleImages Field" goes after "MultipleFiles Field" + And I should see "MultipleImages Backoffice Field" goes after "MultipleFiles Backoffice Field" Scenario: Check attributes order on store front Given I proceed as the Buyer @@ -114,7 +114,7 @@ Feature: Product attributes order And I should see "MultipleFiles Field" goes after "MultipleImages Field" When I save and close form Then I should see "Document Backoffice Field" goes after "Drawing Backoffice Field" - And I should see "MultipleFiles Field" goes after "MultipleImages Field" + And I should see "MultipleFiles Backoffice Field" goes after "MultipleImages Backoffice Field" Scenario: Check attributes order on store front Given I proceed as the Buyer
src/Oro/Bundle/ProductBundle/Tests/Unit/EventListener/AttributeFormViewListenerTest.php+10 −13 modified@@ -143,7 +143,8 @@ public function viewListDataProvider(): array 'fieldName' => 'someField', 'data' => [ 'view' => ['is_displayable' => true], - 'form' => ['is_enabled' => true] + 'form' => ['is_enabled' => true], + 'attribute' => ['is_attribute' => true], ] ] ); @@ -502,8 +503,8 @@ public function viewListDataProvider(): array ], ], ], - 'multiFileField' => [ - 'title' => 'translated multiFile field label', + 'group1' => [ + 'title' => 'Group1Title', 'useSubBlockDivider' => true, 'subblocks' => [ [ @@ -512,7 +513,6 @@ public function viewListDataProvider(): array ], ], ], - 'priority' => 501, ], ], ], @@ -572,8 +572,8 @@ public function viewListDataProvider(): array ], ], ], - 'multiImageField' => [ - 'title' => 'translated multiImage field label', + 'group1' => [ + 'title' => 'Group1Title', 'useSubBlockDivider' => true, 'subblocks' => [ [ @@ -582,7 +582,6 @@ public function viewListDataProvider(): array ], ], ], - 'priority' => 501, ], ], ], @@ -932,8 +931,8 @@ public function editDataProvider(): array ], ], ], - 'multiFileField' => [ - 'title' => 'translated multiFile field label', + 'group1' => [ + 'title' => 'Group1Title', 'useSubBlockDivider' => true, 'subblocks' => [ [ @@ -942,7 +941,6 @@ public function editDataProvider(): array ], ], ], - 'priority' => 501, ], ], ], @@ -1003,8 +1001,8 @@ public function editDataProvider(): array ], ], ], - 'multiImageField' => [ - 'title' => 'translated multiImage field label', + 'group1' => [ + 'title' => 'Group1Title', 'useSubBlockDivider' => true, 'subblocks' => [ [ @@ -1013,7 +1011,6 @@ public function editDataProvider(): array ], ], ], - 'priority' => 501, ], ], ],
src/Oro/Bundle/ProductBundle/Tests/Unit/EventListener/ProductMultiFileBlockListenerTest.php+45 −0 added@@ -0,0 +1,45 @@ +<?php + +namespace Oro\Bundle\ProductBundle\Tests\Unit\EventListener; + +use Oro\Bundle\ProductBundle\EventListener\ProductMultiFileBlockListener; +use Oro\Bundle\UIBundle\Event\BeforeFormRenderEvent; +use Symfony\Component\Form\FormView; +use Twig\Environment; + +class ProductMultiFileBlockListenerTest extends \PHPUnit\Framework\TestCase +{ + /** @var ProductMultiFileBlockListener */ + private $productMultiFileBlockListener; + + protected function setUp(): void + { + $this->productMultiFileBlockListener = new ProductMultiFileBlockListener(); + } + + /** + * @dataProvider dataProvider + */ + public function testOnBeforeFormRender(string $pageId, bool $expected): void + { + $event = new BeforeFormRenderEvent( + $this->createMock(FormView::class), + [], + $this->createMock(Environment::class), + null, + ); + $event->setPageId('valid-page-id'); + + $this->productMultiFileBlockListener->setPages([$pageId]); + $this->productMultiFileBlockListener->onBeforeFormRender($event); + self::assertEquals($event->isPropagationStopped(), $expected); + } + + public function dataProvider(): array + { + return [ + ['pageId' => 'non-valid-page-id', 'expected' => false], + ['pageId' => 'valid-page-id', 'expected' => true], + ]; + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v7px-46v9-5qwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-48296ghsaADVISORY
- github.com/oroinc/orocommerce/commit/41c526498012d44cd88852c63697f1ef53b61db8ghsax_refsource_MISCWEB
- github.com/oroinc/orocommerce/security/advisories/GHSA-v7px-46v9-5qwpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.