46 matches found
OroCommerce get-totals-for-checkout API endpoint returns unwanted data
Detailed Checkout totals information may be received by Checkout ID...
GHSA-8GWJ-68W6-7V6C OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks...
OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility
Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks...
PT-2023-23579 · Unknown · Orocommerce
Name of the Vulnerable Software and Affected Versions: OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 Description: The issue allows detailed order totals information to be received by Order ID, and detailed checkout totals information may be received by Checkout ID...
PT-2023-23578 · Unknown · Orocommerce
Name of the Vulnerable Software and Affected Versions: OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 Description: The issue allows back-office users to access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient...
Cross Site Scripting
OroCommerce is vulnerable to Cross Site Scripting. The vulnerability is due to improper validation or sanitization of the product name parameter when adding a note to the shopping list line. This can be exploited by the attacker by injecting malicious JS payload to the product name...
GHSA-2JC6-3FHJ-8Q84 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
Impact The JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a...
OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
Impact The JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a...
CVE-2022-35950
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...
Design/Logic Flaw
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...
CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...
CVE-2022-35950
CVE-2022-35950 affects OroCommerce. In 4.1.0–4.1.13, 4.2.0–4.2.10, 5.0.0–5.0.10, and 5.1.0–5.1.0 (up to 5.1.1), a JavaScript payload added to the product name may execute at the storefront when a user adds a note to a shopping-list line item containing a vulnerable product. An attacker who can ed...
CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...
CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...
PT-2023-13453 · Unknown · Orocommerce
Name of the Vulnerable Software and Affected Versions: OroCommerce versions 4.1.0 through 4.1.13 OroCommerce versions 4.2.0 through 4.2.10 OroCommerce versions 5.0.0 through 5.0.10 OroCommerce versions 5.1.0 Description: The issue allows a JS payload added to the product name to be executed at th...
OroCommerce Cross-Site Scripting Vulnerability
OroCommerce is an open source business-to-business commerce application from Oro. A cross-site scripting vulnerability exists in OroCommerce versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 through 5.0.11, and 5.1.0 through 5.1.1, which stems from the possibility that the JS payload add...
GHSA-4VF4-955G-VXP2 OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration
Impact Shipping rule edit page is vulnerable to cross site scripting XSS payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule...
OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration
Impact Shipping rule edit page is vulnerable to cross site scripting XSS payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule...
CVE-2022-31037
OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker...
Cross site scripting
OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker...