← Back

CVE-2022-35950

nvd nist
Published: Oct 9, 2023Modified: Nov 21, 2024

JSON object

Loading...
4.8
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Exploitability: 1.7 / Impact: 2.7
Source: NVD

Description

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.

Affected (10)

Products: Oroinc: Orocommerce
Oroinc
1 product
Orocommerce
Configuration A
10 vulnerable
Vulnerable SoftwareAffected Versions
Oroinc
Orocommerce
From 4.1.0 to 4.1.13
Orocommerce
From 4.2.0 to 4.2.10
Orocommerce
From 5.0.0 to 5.0.10
Orocommerce
Version 5.1.0
Orocommerce
Version 5.1.0 alpha1
Orocommerce
Version 5.1.0 alpha2
Orocommerce
Version 5.1.0 beta1
Orocommerce
Version 5.1.0 beta2
Orocommerce
Version 5.1.0 rc1
Orocommerce
Version 5.1.0 rc2

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

Source: security-advisories@github.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.