Описание
OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration
Impact
Shipping rule edit page is vulnerable to cross site scripting (XSS) payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule.
Пакеты
Наименование
oro/commerce
composer
Затронутые версииВерсия исправления
>= 4.1.0, < 5.0.6
5.0.6
Связанные уязвимости
CVSS3: 6.9
nvd
больше 3 лет назад
OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.