Lucene search
K

46 matches found

Github Security Blog
Github Security Blog
added 2023/11/27 11:29 p.m.25 views

OroCommerce get-totals-for-checkout API endpoint returns unwanted data

Detailed Checkout totals information may be received by Checkout ID...

5.8CVSS6.5AI score0.00491EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2023/11/27 11:29 p.m.17 views

GHSA-8GWJ-68W6-7V6C OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility

Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks...

4.3CVSS4.6AI score0.00497EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/11/27 11:29 p.m.18 views

OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility

Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks...

5CVSS6.5AI score0.00497EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2023/11/27 12:0 a.m.4 views

PT-2023-23579 · Unknown · Orocommerce

Name of the Vulnerable Software and Affected Versions: OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 Description: The issue allows detailed order totals information to be received by Order ID, and detailed checkout totals information may be received by Checkout ID...

5.8CVSS5.4AI score0.00491EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2023/11/27 12:0 a.m.7 views

PT-2023-23578 · Unknown · Orocommerce

Name of the Vulnerable Software and Affected Versions: OroCommerce versions prior to 5.0.11 OroCommerce versions prior to 5.1.1 Description: The issue allows back-office users to access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient...

5CVSS4.5AI score0.00497EPSS
Exploits0References7
Veracode
Veracode
added 2023/10/11 6:9 a.m.19 views

Cross Site Scripting

OroCommerce is vulnerable to Cross Site Scripting. The vulnerability is due to improper validation or sanitization of the product name parameter when adding a note to the shopping list line. This can be exploited by the attacker by injecting malicious JS payload to the product name...

6.9CVSS6.8AI score0.00358EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2023/10/10 9:10 p.m.15 views

GHSA-2JC6-3FHJ-8Q84 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

Impact The JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a...

4.8CVSS5.5AI score0.00358EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2023/10/10 9:10 p.m.24 views

OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

Impact The JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a...

6.9CVSS6.7AI score0.00358EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2023/10/09 2:15 p.m.39 views

CVE-2022-35950

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

6.9CVSS6.5AI score0.00358EPSS
Exploits0References1
Prion
Prion
added 2023/10/09 2:15 p.m.21 views

Design/Logic Flaw

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

4.3CVSS4.9AI score0.00358EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2023/10/09 1:6 p.m.9 views

CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

6.9CVSS6.6AI score0.00358EPSS
Exploits0References1
CVE
CVE
added 2023/10/09 1:6 p.m.72 views

CVE-2022-35950

CVE-2022-35950 affects OroCommerce. In 4.1.0–4.1.13, 4.2.0–4.2.10, 5.0.0–5.0.10, and 5.1.0–5.1.0 (up to 5.1.1), a JavaScript payload added to the product name may execute at the storefront when a user adds a note to a shopping-list line item containing a vulnerable product. An attacker who can ed...

6.9CVSS5.5AI score0.00358EPSS
Exploits0References1Affected Software1
OSV
OSV
added 2023/10/09 1:6 p.m.32 views

CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

6.9CVSS5.3AI score0.00358EPSS
Exploits0References3
Cvelist
Cvelist
added 2023/10/09 1:6 p.m.39 views

CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

6.9CVSS6.7AI score0.00358EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2023/10/09 12:0 a.m.6 views

PT-2023-13453 · Unknown · Orocommerce

Name of the Vulnerable Software and Affected Versions: OroCommerce versions 4.1.0 through 4.1.13 OroCommerce versions 4.2.0 through 4.2.10 OroCommerce versions 5.0.0 through 5.0.10 OroCommerce versions 5.1.0 Description: The issue allows a JS payload added to the product name to be executed at th...

6.9CVSS5.2AI score0.00358EPSS
Exploits0References6
CNNVD
CNNVD
added 2023/10/09 12:0 a.m.6 views

OroCommerce Cross-Site Scripting Vulnerability

OroCommerce is an open source business-to-business commerce application from Oro. A cross-site scripting vulnerability exists in OroCommerce versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 through 5.0.11, and 5.1.0 through 5.1.1, which stems from the possibility that the JS payload add...

6.9CVSS6.1AI score0.00358EPSS
Exploits0References2
OSV
OSV
added 2022/10/18 7:52 p.m.20 views

GHSA-4VF4-955G-VXP2 OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration

Impact Shipping rule edit page is vulnerable to cross site scripting XSS payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule...

6.9CVSS5.6AI score0.00401EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2022/10/18 7:52 p.m.27 views

OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration

Impact Shipping rule edit page is vulnerable to cross site scripting XSS payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule...

6.9CVSS5.1AI score0.00401EPSS
Exploits0References3Affected Software1
NVD
NVD
added 2022/10/18 10:15 a.m.40 views

CVE-2022-31037

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker...

6.9CVSS0.00401EPSS
Exploits0References1
Prion
Prion
added 2022/10/18 10:15 a.m.24 views

Cross site scripting

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker...

4.9CVSS5.2AI score0.00401EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder