CVE-2022-31037

Published: Oct 18, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.

Affected (3)

Products: Oroinc: Orocommerce

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Oroinc Orocommerce	From 4.1.0 to 4.1.17
Oroinc Orocommerce	From 4.2.0 to 4.2.11
Oroinc Orocommerce	From 5.0.0 to 5.0.3

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/oroinc/orocommerce/security/advisories/GHSA-4vf4-955g-vxp2

Source: security-advisories@github.com

Third Party Advisory

https://github.com/oroinc/orocommerce/security/advisories/GHSA-4vf4-955g-vxp2

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.