Dismissed
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
8 packages
- python312Packages.azure-mgmt-commerce
- python313Packages.azure-mgmt-commerce
- python314Packages.azure-mgmt-commerce
- python312Packages.mypy-boto3-marketplacecommerceanalytics
- python313Packages.mypy-boto3-marketplacecommerceanalytics
- python314Packages.mypy-boto3-marketplacecommerceanalytics
- python312Packages.types-aiobotocore-marketplacecommerceanalytics
- python313Packages.types-aiobotocore-marketplacecommerceanalytics
- @LeSuisse dismissed
Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2.
References
- https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m x_refsource_CONFIRM
- https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee x_refsource_MISC
- https://github.com/craftcms/commerce/releases/tag/4.10.1 x_refsource_MISC
- https://github.com/craftcms/commerce/releases/tag/5.5.2 x_refsource_MISC
Affected products
commerce
- ==>= 5.0.0, < 5.5.2
- ==>= 4.0.0-RC1, < 4.10.1