Vulnerabilities (CVE)

Filtered by vendor Oroinc Subscribe
Filtered by product Orocommerce
Total 4 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-32065 1 Oroinc 1 Orocommerce 2024-11-21 N/A 5.8 MEDIUM
OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1.
CVE-2023-32064 1 Oroinc 1 Orocommerce 2024-11-21 N/A 5.0 MEDIUM
OroCommerce package with customer portal and non authenticated visitor website base features. Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks. This issue has been patched in version 5.0.11 and 5.1.1.
CVE-2022-35950 1 Oroinc 1 Orocommerce 2024-11-21 N/A 6.9 MEDIUM
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.
CVE-2022-31037 1 Oroinc 1 Orocommerce 2024-11-21 N/A 6.9 MEDIUM
OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.