GHSA-mp46-7x6q-f28m

Source

https://github.com/advisories/GHSA-mp46-7x6q-f28m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mp46-7x6q-f28m/GHSA-mp46-7x6q-f28m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mp46-7x6q-f28m

Aliases

CVE-2021-24323

Published

2022-05-24T19:02:37Z

Modified

2024-02-16T08:10:50.896819Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

Details

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

Database specific

{
    "nvd_published_at": "2021-05-17T17:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-10T18:33:55Z"
}

References

Affected packages

Packagist / woocommerce/woocommerce

Package

Name: woocommerce/woocommerce
Purl: pkg:composer/woocommerce/woocommerce

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.0

Affected versions

2.*

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.7.0-beta-1

2.7.0-beta-2

2.7.0-beta-3

2.7.0-beta-4

2.7.0-RC1

3.*

3.0.0-rc.1

3.0.0-rc.2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.1.0-beta-1

3.1.0-beta.2

3.1.0-rc.1

3.1.0-rc.2

3.1.0

3.1.1

3.1.2

3.2.0-beta.1

3.2.0-beta.2

3.2.0-rc.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.3.0-beta.1

3.3.0-beta.2

3.3.0-rc.1

3.3.0-rc.2

3.3.0

3.3.1-rc.1

3.3.1

3.3.2-rc.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.4.0-beta.1

3.4.0-beta.2

3.4.0-rc.1

3.4.0-rc.2

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.4.6

3.4.7

3.4.8

3.5.0-beta.1

3.5.0-rc.1

3.5.0-rc.2

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

3.5.6

3.5.7

3.5.8

3.5.9

3.5.10

3.6.0-beta1

3.6.0-rc.1

3.6.0-rc.2

3.6.0-rc.3

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.7.0-beta.1

3.7.0-rc.1

3.7.0-rc.2

3.7.0

3.7.1

3.7.2

3.7.3

3.8.0-beta.1

3.8.0-rc.1

3.8.0-rc.2

3.8.0

3.8.1

3.8.2

3.8.3

3.9.0-beta.1

3.9.0-beta.2

3.9.0-rc.1

3.9.0-rc.2

3.9.0-rc.3

3.9.0-rc.4

3.9.0

3.9.1

3.9.2

3.9.3

3.9.4

3.9.5

v3.*

v3.2.0-RC1

4.*

4.0.0-beta.1

4.0.0-rc.1

4.0.0-rc.2

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0-beta.1

4.1.0-beta.2

4.1.0-rc.1

4.1.0-rc.2

4.1.0-rc.3

4.1.0

4.1.1

4.1.2

4.1.2.1

4.1.3

4.1.4

4.2.0-beta.1

4.2.0-RC.1

4.2.0-RC.2

4.2.0

4.2.1

4.2.2

4.2.3

4.2.3.1

4.2.4

4.2.5

4.3.0-beta.1

4.3.0-rc.1

4.3.0-rc.2

4.3.0-rc.3

4.3.0

4.3.1

4.3.2

4.3.3

4.3.4

4.3.4.1

4.3.5

4.3.6

4.4.0-beta.1

4.4.0-rc.1

4.4.0

4.4.1

4.4.2

4.4.2.1

4.4.3

4.4.4

4.5.0-beta.1

4.5.0-rc.1

4.5.0-rc.2

4.5.0-rc.3

4.5.0

4.5.1

4.5.2

4.5.3

4.5.3.1

4.5.4

4.5.5

4.6.0-beta.1

4.6.0-rc.1

4.6.0

4.6.1

4.6.2

4.6.3

4.6.3.1

4.6.4

4.6.5

4.7.0-beta.1

4.7.0-beta.2

4.7.0-rc.1

4.7.0

4.7.1-beta.1

4.7.1

4.7.2

4.7.3

4.7.4

4.8.0-beta.1

4.8.0-rc.1

4.8.0-rc.2

4.8.0

4.8.1

4.8.2

4.8.3

4.9.0-beta.1

4.9.0-rc.1

4.9.0-rc.2

4.9.0

4.9.1

4.9.2

4.9.3

4.9.4

4.9.5

5.*

5.0.0-beta.1

5.0.0-beta.2

5.0.0-rc.1

5.0.0-rc.2

5.0.0-rc.3

5.0.0

5.0.1

5.0.2

5.0.3

5.1.0-beta.1

5.1.0-rc.1

5.1.0

5.1.1

5.1.2

5.1.3

5.2.0-beta.1

5.2.0-rc.1

5.2.0-rc.2