CVE-2022-31037

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.

Published: Oct 18, 2022
Updated: May 9, 2024
CVE: CVE-2022-31037
GHSA: GHSA-4vf4-955g-vxp2
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
oroinc / orocommerce	5.0.0	5.0.3.x
oroinc / orocommerce	4.2.0	4.2.11.x
oroinc / orocommerce	4.1.0	4.1.17.x
oro / commerce	4.1.0	5.0.6

https://github.com/oroinc/orocommerce/security/advisories/GHSA-4vf4-955g-vxp2

Vulnerability Database

CVE-2022-31037

Deep Security Visibility Without the Complexity