PT-2023-13453 · Unknown · Orocommerce
Khrysev
·
Published
2023-10-09
·
Updated
2023-10-12
·
CVE-2022-35950
CVSS v3.1
6.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
OroCommerce versions 4.1.0 through 4.1.13
OroCommerce versions 4.2.0 through 4.2.10
OroCommerce versions 5.0.0 through 5.0.10
OroCommerce versions 5.1.0
Description
The issue allows a JS payload added to the product name to be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker can edit a product in the admin area and force a user to add this product to the Shopping List and click add a note for it.
Recommendations
For versions 4.1.0 through 4.1.13, update to version 5.0.11 or later.
For versions 4.2.0 through 4.2.10, update to version 5.0.11 or later.
For versions 5.0.0 through 5.0.10, update to version 5.0.11.
For version 5.1.0, update to version 5.1.1.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Orocommerce