Pinned entity creation form shows wrong data

Impact

Logged in user can access page state data of pinned pages of other users by pageId hash.

Patch

--- src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php
+++ src/Oro/Bundle/NavigationBundle/Controller/Api/PagestateController.php
@@ -158,6 +158,13 @@
             AbstractPageState::generateHash($this->get('request_stack')->getCurrentRequest()->get('pageId'))
         );
 
+        if ($entity) {
+            $entity = $this->getEntity($entity->getId());
+        }
+        if (!$entity) {
+            return $this->handleNotFound();
+        }
+
         return $this->handleView($this->view($this->getState($entity), Response::HTTP_OK));
     }

References

dkhrysev published to oroinc/platform Mar 25, 2024

Published by the National Vulnerability Database Mar 25, 2024

Published to the GitHub Advisory Database Mar 25, 2024

Reviewed Mar 25, 2024

Last updated Mar 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patch

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code