Headline
CVE-2023-32065: get-totals-for-checkout API endpoint returns unwanted data
OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1.
Package
composer oro/commerce (Composer)
Affected versions
>=4.2.0, <=4.2.10 || >=5.0.0, <=5.0.10 || >=5.1.0, <5.1.1
Patched versions
5.1.1, 5.0.11
Description
Detailed Checkout totals information may be received by Checkout ID
Related news
GHSA-88g2-xgh9-4ph2: OroCommerce get-totals-for-checkout API endpoint returns unwanted data
Detailed Checkout totals information may be received by Checkout ID