Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4vf4-955g-vxp2: OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration

Impact

Shipping rule edit page is vulnerable to cross site scripting (XSS) payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule.

ghsa
Open in Source
#xss#vulnerability#git

OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration

Moderate severity GitHub Reviewed Published Oct 18, 2022 in oroinc/orocommerce • Updated Oct 18, 2022

Related news

CVE-2022-31037: XSS vulnerability during shipping rule editing for UPS integration

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.

ghsa: Latest News

GHSA-7p9f-6x8j-gxxp: CRI-O: Maliciously structured checkpoint file can gain arbitrary node access
ghsa