CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2023-48296 – OroPlatform's storefront user can access history and most viewed data from matching back-office user with the same ID
https://notcve.org/view.php?id=CVE-2023-48296
OroPlatform is a PHP Business Application Platform (BAP). Navigation history, most viewed and favorite navigation items are returned to storefront user in JSON navigation response if ID of storefront user matches ID of back-office user. This vulnerability is fixed in 5.1.4. OroPlatform es una plataforma de aplicaciones empresariales (BAP) PHP. El historial de navegación y los elementos de navegación más vistos y favoritos se devuelven al usuario de la tienda en la respuesta de navegación JSON si el ID del usuario de la tienda coincide con el ID del usuario de la oficina administrativa. • https://github.com/oroinc/orocommerce/commit/41c526498012d44cd88852c63697f1ef53b61db8 https://github.com/oroinc/orocommerce/security/advisories/GHSA-v7px-46v9-5qwp • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.9EPSS: 0%CPEs: 10EXPL: 0CVE-2022-35950 – OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item
https://notcve.org/view.php?id=CVE-2022-35950
OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue. OroCommerce es una aplicación de comercio entre empresas de código abierto. • https://github.com/oroinc/orocommerce/security/advisories/GHSA-2jc6-3fhj-8q84 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2022-31037 – OroCommerce vulnerable to Cross-site Scripting via Shipping rule editing page
https://notcve.org/view.php?id=CVE-2022-31037
OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds. • https://github.com/oroinc/orocommerce/security/advisories/GHSA-4vf4-955g-vxp2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •