OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

2022-07-1519:25:06

Google

osv.dev

orocommerce

xss

vulnerability

grapejs

executable code

class name validation

security patch

dependency update

Impact

Due to insufficient class name validation in GrapeJS library it’s possible to add executable JS code in class name through Selector Manager

Update GrapeJS dependency to >=v0.19.5

github.com/artf/grapesjs/issues/4411

github.com/oroinc/orocommerce

github.com/oroinc/orocommerce/security/advisories/GHSA-6f85-3f8q-qc94