CVE-2023-32065: 
PHP vulnerability analysis and mitigation

OroCommerce, an open-source Business to Business Commerce application, was found to contain a vulnerability (CVE-2023-32065) that allows unauthorized access to detailed Order totals information through Order ID. The vulnerability affects versions 4.2.0 through 4.2.10, 5.0.0 through 5.0.10, and 5.1.0 through 5.1.1. This issue was disclosed on November 27, 2023 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.8 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, has changed scope, and only impacts confidentiality at a low level with no impact on integrity or availability. The vulnerability is classified as CWE-284 (Improper Access Control) (NVD).

The vulnerability allows unauthorized users to access detailed Order totals information by knowing the Order ID. This represents a potential data exposure risk for business-sensitive information (GitHub Advisory).

The vulnerability has been patched in OroCommerce versions 5.0.11 and 5.1.1. Users are advised to upgrade to these patched versions to protect against this vulnerability (GitHub Advisory).