CVE-2023-32064: 
PHP vulnerability analysis and mitigation

OroCommerce package with customer portal experienced a security vulnerability (CVE-2023-32064) that allowed back-office users to access information about Customer and Customer User menus by bypassing ACL security restrictions due to insufficient security checks. The vulnerability was discovered and disclosed on November 27, 2023, affecting versions >=4.2.0 through 4.2.8, >=5.0.0 through 5.0.10, and >=5.1.0 through 5.1.1 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs low privileges, requires no user interaction, has changed scope, and results in low confidentiality impact with no integrity or availability impact (GitHub Advisory, NVD).

The vulnerability allows unauthorized access to customer and customer user menu information, potentially exposing sensitive customer data to back-office users who should not have such access based on their ACL permissions (GitHub Advisory).

The vulnerability has been patched in versions 5.0.11 and 5.1.1. Users are advised to upgrade to these patched versions to mitigate the security risk (GitHub Advisory).