Advisories for Composer/Oro/Crm package

OroCRM is prone to open redirection which could allow attackers to redirect users to external website.

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. Back-office users can access information from any call event, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.4 and 5.1.1.

OroCRM is an open source Client Relationship Management (CRM) application. There are no workarounds that address this vulnerability and all users are advised to update their package.

Forced Redirect to External Website.