GHSA-6f85-3f8q-qc94

Опубликовано: 15 июл. 2022

Источник: github

Github: Прошло ревью

CVSS3: 6.9

Описание

OroCommerce vulnerable to XSS when adding class name to Selector Manager on pages that use GrapeJS editor

Due to insufficient class name validation in GrapeJS library it's possible to add executable JS code in class name through Selector Manager

Update GrapeJS dependency to >=v0.19.5

Наименование

oro/commerce

composer

Затронутые версииВерсия исправления

>= 5.0, < 5.0.4

5.0.4

6.9 Medium

CVSS3

CWE-79

6.9 Medium

CVSS3

CWE-79