GHSA-v8hp-239v-9367: 
PHP vulnerability analysis and mitigation

OroCRM, between versions 1.7.0 and 1.7.4, was identified with a vulnerability related to open redirection (GHSA-v8hp-239v-9367). The issue was discovered and disclosed on July 8, 2015, affecting the core functionality of the OroCRM platform. This moderate severity vulnerability could potentially allow attackers to perform forced redirects to external websites (GitHub Advisory).

The vulnerability has been assessed with a CVSS v3.1 score of 6.1 (Moderate severity), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, User interaction required, Changed scope, Low impact on confidentiality and integrity, and No impact on availability. The technical vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-601 (GitHub Advisory).

The vulnerability could enable attackers to redirect users to external websites through the Open Redirect method, potentially compromising user security and trust. The impact primarily affects confidentiality and integrity at a low level, while availability remains unaffected (OroCRM Blog).

The vulnerability was patched in version 1.7.4. OroCRM Enterprise Edition customers were advised to upgrade to version 1.9.3, while Community Edition users were recommended to upgrade to version 1.7.4. B2B SaaS Enterprise customers required no action as the engineering team addressed the issue on their behalf (OroCRM Blog).