CVE-2022-35950

Name of the Vulnerable Software and Affected Versions OroCommerce versions 4.1.0 through 4.1.13 OroCommerce versions 4.2.0 through 4.2.10 OroCommerce versions 5.0.0 through 5.0.10 OroCommerce versions 5.1.0

Description The issue allows a JS payload added to the product name to be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker can edit a product in the admin area and force a user to add this product to the Shopping List and click add a note for it.

Recommendations For versions 4.1.0 through 4.1.13, update to version 5.0.11 or later. For versions 4.2.0 through 4.2.10, update to version 5.0.11 or later. For versions 5.0.0 through 5.0.10, update to version 5.0.11. For version 5.1.0, update to version 5.1.1.