Rgrebenchuk

#9722of 53,633
28.4Total CVSS
Vulnerabilities · 4
Medium
3
High
1
PT-2022-20477
6.9
2022-10-18
Unknown · Orocommerce · CVE-2022-31037
**Name of the Vulnerable Software and Affected Versions** OroCommerce versions 4.1.0 through 4.1.17 OroCommerce versions 4.2.0 through 4.2.11 OroCommerce versions 5.0.0 through 5.0.3 **Description** The issue concerns Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. An attacker needs permission to create or edit a shipping rule to exploit this. **Recommendations** For versions 4.1.0 through 4.1.17, update to a version newer than 5.0.3, specifically to version 5.0.6 or later. For versions 4.2.0 through 4.2.11, update to a version newer than 5.0.3, specifically to version 5.0.6 or later. For versions 5.0.0 through 5.0.3, update to version 5.0.6 or later.
PT-2022-11376
6.9
2022-01-04
Unknown · Oroplatform · CVE-2021-41236
**Name of the Vulnerable Software and Affected Versions** OroPlatform (affected versions not specified) **Description** The email template preview in OroPlatform is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload execution, the attacked user must preview a vulnerable email template. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-11920
8.8
2022-01-04
Unknown · Oroplatform · CVE-2021-43852
**Name of the Vulnerable Software and Affected Versions** OroPlatform versions prior to 4.2.8 **Description** The issue allows an attacker to inject properties into existing JavaScript language construct prototypes, such as objects, by sending a specially crafted request. This injection may lead to JavaScript code execution by libraries that are vulnerable to Prototype Pollution. **Recommendations** For versions prior to 4.2.8, update to version 4.2.8 to resolve the issue. As a temporary workaround, consider configuring a firewall or WAF to drop requests containing strings: ` proto `, `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.
PT-2021-22453
5.8
2021-11-19
Orocrm · Orocrm · CVE-2021-39198
**Name of the Vulnerable Software and Affected Versions** OroCRM (affected versions not specified) **Description** The issue allows an attacker to disqualify any Lead with a Cross-Site Request Forgery (CSRF) attack. There are no workarounds that address this issue. All users are advised to update their package. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.