6.9
CVE-2022-35950
- EPSS 0.07%
- Veröffentlicht 09.10.2023 14:15:10
- Zuletzt bearbeitet 21.11.2024 07:12:02
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginOroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Oroinc ≫ Orocommerce Version >= 4.1.0 <= 4.1.13
Oroinc ≫ Orocommerce Version >= 4.2.0 <= 4.2.10
Oroinc ≫ Orocommerce Version >= 5.0.0 <= 5.0.10
Oroinc ≫ Orocommerce Version5.1.0 Update-
Oroinc ≫ Orocommerce Version5.1.0 Updatealpha1
Oroinc ≫ Orocommerce Version5.1.0 Updatealpha2
Oroinc ≫ Orocommerce Version5.1.0 Updatebeta1
Oroinc ≫ Orocommerce Version5.1.0 Updatebeta2
Oroinc ≫ Orocommerce Version5.1.0 Updaterc1
Oroinc ≫ Orocommerce Version5.1.0 Updaterc2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.07% | 0.22 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 6.9 | 1.7 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.