CVE-2022-35950

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-35950

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-35950.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-35950

Aliases

GHSA-2jc6-3fhj-8q84

Published

2023-10-09T14:15:10Z

Modified

2024-06-13T07:32:19.539213Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.

References

https://github.com/oroinc/orocommerce/security/advisories/GHSA-2jc6-3fhj-8q84

Affected packages

Git / github.com/oroinc/orocommerce

Affected ranges

Type: GIT
Repo: https://github.com/oroinc/orocommerce
Events: Introduced

4f84e69298456fa41df5331bdfe5af79e529a099

Last affected

12159ca7eaa63d6f79e12f164c4388be70f7b0b0

Last affected

5819184990cb46a634a3bd78e05a61fe63deef49

Introduced

c2cd64739319fe0c592a64a94c727ed3a091b999

Last affected

5c08f77f5e23711e0afc5660b3042d3d77886e37

Introduced

d61e5abbc89ca6719e3ae2608f4611b3d4e7ddf7

Last affected

91e2fab705a4648c7fdd3e1596f3d084959e3282

Affected versions

4.*

4.1.0

4.1.1

4.1.1-rc

4.1.1-rc2

4.1.10

4.1.11

4.1.12

4.1.13

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2.0

4.2.1

4.2.10

4.2.2

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

5.*

5.0.0

5.0.1

5.0.10

5.0.2

5.0.3

5.0.4

5.0.5

5.0.6

5.0.7

5.0.8

5.0.9