CVE-2022-35950
Last modified
CVE-2022-35950 is a medium-severity vulnerability rated 4.8/10 on the CVSS scale. OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Oroinc | Orocommerce | >= 4.1.0, <= 4.1.13 |
| Oroinc | Orocommerce | >= 4.2.0, <= 4.2.10 |
| Oroinc | Orocommerce | >= 5.0.0, <= 5.0.10 |
| Oroinc | Orocommerce | 5.1.0 |
References
- https://github.com/oroinc/orocommerce/security/advisories/GHSA-2jc6-3fhj-8q84Third Party Advisory
- https://github.com/oroinc/orocommerce/security/advisories/GHSA-2jc6-3fhj-8q84Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2022-35950?
How severe is CVE-2022-35950?
How do I fix CVE-2022-35950?
Are you affected by CVE-2022-35950?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST