Information Disclosure

oro/commerce is vulnerable to Information Disclosure. The vulnerability allows back-office users to bypass access control ACL restrictions and access detailed order totals information by simply knowing the order ID...

Cross-Site Scripting (XSS)

oro/commerce is vulnerable to cross-site scripting. The vulnerability is due to lack of sanitization in the shipping rule edit page which allows an attacker to inject and execute arbitrary JavaScript...

OroCommerce 跨站脚本漏洞

OroCommerce is an open source business-to-business commerce application from Oro Open Source. A cross-site scripting XSS vulnerability exists in OroCommerce versions 4.1.0 through 4.1.17, 4.2.0 through 4.2.11, and 5.0.0 through 5.0.3, which stems from susceptibility to cross-site scripting attack...

PT-2022-20477 · Unknown · Orocommerce

Name of the Vulnerable Software and Affected Versions: OroCommerce versions 4.1.0 through 4.1.17 OroCommerce versions 4.2.0 through 4.2.11 OroCommerce versions 5.0.0 through 5.0.3 Description: The issue concerns Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. An...

Cross-site Scripting (XSS)

oro/commerce is vulnerable to cross-site scripting. The vulnerability exists through the grapesjs dependency used in the library as it does not properly validate the class name in ClassTagView.ts when it adds to the selector manager, allowing an attacker to inject and execute malicious javascript...