CVE-2024-37297

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-37297
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-37297.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-37297
Aliases
Published
2024-06-12T15:15:52Z
Modified
2024-10-08T04:16:25.299231Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

References

Affected packages

Git / github.com/woocommerce/woocommerce

Affected ranges

Type
GIT
Repo
https://github.com/woocommerce/woocommerce
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0e9888305d0cb9557e58f558526ab11cb3bcc4b4
Fixed
915e32a42762916b745a7e663c8b69a698da8b67

Affected versions

1.*

1.0
1.0.1
1.0.2
1.0.3
1.1
1.1.1
1.1.2
1.1.3
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.3
1.3.1
1.3.2
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.5
1.5.1
1.5.2
1.5.2.1
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.7.1
1.5.8
1.6-beta-1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.1

2.*

2.0-beta-0
2.0.0
2.0.0-RC1
2.0.0-RC2
2.0.0-RC3
2.0.0-beta1
2.0.0-beta2
2.0.0-beta3
2.0.1
2.0.10
2.0.11
2.0.12
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.1.0
2.1.0-RC1
2.1.0-RC2
2.1.0-beta-1
2.1.0-beta-2
2.1.0-beta-3
2.1.1
2.1.10
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.1.9
2.2-beta-1
2.2-beta-2
2.2-beta-3
2.2.0
2.2.0-RC1
2.2.1
2.2.2
2.2.3
2.2.4
2.3.0
2.3.0-RC1
2.3.0-beta-1
2.3.0-beta-2
2.3.0-beta-3
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.4.0
2.4.0-RC1
2.4.0-beta-1
2.4.0-beta-2
2.4.0-beta-3
2.4.0-beta-4
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.5.0
2.5.0-RC1
2.5.0-RC2
2.5.0-RC3
2.5.0-beta-1
2.5.0-beta-2
2.5.0-beta-3
2.6.0
2.6.0-RC1
2.6.0-RC2
2.6.0-beta-1
2.6.0-beta-2
2.6.0-beta-3
2.6.0-beta-4
2.6.1
2.6.2
2.6.3
2.7.0-RC1
2.7.0-beta-1
2.7.0-beta-2
2.7.0-beta-3
2.7.0-beta-4

3.*

3.0.0
3.0.0-rc.1
3.0.0-rc.2
3.1.0-beta-1
3.1.0-beta.1
3.1.0-beta.2
3.1.0-rc.1
3.2.0-beta.1
3.2.0-beta.2
3.2.0-rc.1
3.3.0-beta.1
3.3.0-beta.2
3.3.0-rc.1
3.4.0-beta.1
3.4.0-beta.2
3.4.0-rc.1
3.4.0-rc.2
3.5.0-beta.1
3.6.0-beta.1
3.6.0-rc.1
3.7.0-beta.1
3.7.0-rc.1

8.*

8.8.0
8.8.0-beta.1
8.8.0-beta.2
8.8.0-rc.1
8.8.1
8.8.2
8.8.3
8.8.4
8.9.0
8.9.0-beta.1
8.9.0-rc.1
8.9.1
8.9.2

@woocommerce/e2e-environment@0.*

@woocommerce/e2e-environment@0.1.1
@woocommerce/e2e-environment@0.1.2
@woocommerce/e2e-environment@0.1.5

Other

list

v1.*

v1.0
v1.0.1
v1.0.2
v1.0.3
v1.1
v1.1.1
v1.1.2
v1.1.3
v1.2
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3
v1.3.1
v1.3.2
v1.4
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.5
v1.5.1
v1.5.2
v1.5.2.1
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.7.1
v1.5.8
v1.6-beta-1
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.6.5.1

v2.*

v2.0-beta-0
v2.0.0
v2.0.0-RC1
v2.0.0-RC2
v2.0.0-RC3
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.0-RC1
v2.1.0-RC2
v2.1.0-beta-1
v2.1.0-beta-2
v2.1.0-beta-3
v2.1.1
v2.1.10
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.1.7
v2.1.8
v2.1.9
v2.2-beta-1
v2.2-beta-2
v2.2-beta-3
v2.2.0-RC1
v2.2.1
v2.2.2
v2.2.3

wc-beta-tester-2.*

wc-beta-tester-2.2.0
wc-beta-tester-2.2.0.b
wc-beta-tester-2.2.1
wc-beta-tester-2.2.2
wc-beta-tester-2.2.3
wc-beta-tester-2.2.4
wc-beta-tester-2.2.5
wc-beta-tester-2.3.0

woo-ai-0.*

woo-ai-0.1.0
woo-ai-0.2.0
woo-ai-0.4.0
woo-ai-0.5.0
woo-ai-0.6.0