CVE-2022-35950

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line...

EUVD-2023-2619

Malicious code in bioql PyPI...

EUVD-2022-7019

Malicious code in bioql PyPI...

EUVD-2023-2921

Malicious code in bioql PyPI...

CVE-2023-32064

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and...

CVE-2023-32065

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1...

CVE-2022-31037

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker...

CVE-2023-32064

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and...

CVE-2023-32065

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1...

Security feature bypass

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and...

Design/Logic Flaw

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1...

CVE-2023-32065

CVE-2023-32065 affects OroCommerce where the get-totals-for-checkout API endpoint can disclose detailed order totals to users who should not have access, by exploiting inadequate access control around Order IDs. Public sources in the connected documents describe an information-disclosure path ena...

CVE-2023-32065 OroCommerce get-totals-for-checkout API endpoint returns unwanted data

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1...

CVE-2023-32065 OroCommerce get-totals-for-checkout API endpoint returns unwanted data

OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1...

CVE-2023-32064

Summary (CVE-2023-32064): OroCommerce exposes an access control vulnerability where back-office users can view information in Customer and Customer User menus due to insufficient ACL checks. This affects OroCommerce package with customer portal features. The issue is mitigated by upgrading to ver...

CVE-2023-32064 OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and...

CVE-2023-32064 OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility

OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and...

OroCommerce Access Control Error Vulnerability

OroCommerce is an open source business-to-business commerce application from Oro. An access control error vulnerability exists in OroCommerce that stems from allowing Order IDs to receive detailed order total information. Affected product versions: OroCommerce versions 4.2.0 through 4.2.10, 5.0.0...

OroCommerce Access Control Error Vulnerability

OroCommerce is an open source business-to-business commerce application from Oro. OroCommerce suffers from an Access Control Error vulnerability that stems from insufficient security checks, which allows an attacker to bypass Access Control Lists ACLs. Affected products and versions: OroCommerce...

OroCommerce get-totals-for-checkout API endpoint returns unwanted data

Detailed Checkout totals information may be received by Checkout ID...