Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2022-35950
HistoryOct 09, 2023 - 2:15 p.m.

CVE-2022-35950

2023-10-0914:15:10
CWE-79
GitHub_M
web.nvd.nist.gov
30
orocommerce
cve-2022-35950
business to business commerce
security vulnerability
javascript payload

CVSS3

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.

Affected configurations

Nvd
Vulners
Node
oroincorocommerceRange4.1.04.1.13
OR
oroincorocommerceRange4.2.04.2.10
OR
oroincorocommerceRange5.0.05.0.10
OR
oroincorocommerceMatch5.1.0-
OR
oroincorocommerceMatch5.1.0alpha1
OR
oroincorocommerceMatch5.1.0alpha2
OR
oroincorocommerceMatch5.1.0beta1
OR
oroincorocommerceMatch5.1.0beta2
OR
oroincorocommerceMatch5.1.0rc1
OR
oroincorocommerceMatch5.1.0rc2
VendorProductVersionCPE
oroincorocommerce*cpe:2.3:a:oroinc:orocommerce:*:*:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:-:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:alpha1:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:alpha2:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:beta1:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:beta2:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:rc1:*:*:*:*:*:*
oroincorocommerce5.1.0cpe:2.3:a:oroinc:orocommerce:5.1.0:rc2:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "oroinc",
    "product": "orocommerce",
    "versions": [
      {
        "version": ">= 4.1.0, <= 4.1.13",
        "status": "affected"
      },
      {
        "version": ">= 4.2.0, <= 4.2.10",
        "status": "affected"
      },
      {
        "version": ">= 5.0.0, < 5.0.11",
        "status": "affected"
      },
      {
        "version": ">= 5.1.0, < 5.1.1",
        "status": "affected"
      }
    ]
  }
]

Related

osv 2
prion 1
github 1
cvelist 1
nvd 1
veracode 1
vulnrichment 1
osv
osv
CVE-2022-35950
2023-10-09 14:15:10
OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
2023-10-10 21:10:28
prion
prion
Design/Logic Flaw
2023-10-09 14:15:00
github
github
OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
2023-10-10 21:10:28
cvelist
cvelist
CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
2023-10-09 13:06:50
nvd
nvd
CVE-2022-35950
2023-10-09 14:15:10
veracode
veracode
Cross Site Scripting
2023-10-11 06:09:35
vulnrichment
vulnrichment
CVE-2022-35950 OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
2023-10-09 13:06:50

CVSS3

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

18.6%

JSON
Related for CVE-2022-35950
osv2prion1github1cvelist1nvd1veracode1vulnrichment1