VulnerableCode Package Details - pkg:composer/oro/commerce@4.2.6

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/oro/commerce@4.2.6

Essentials
History (4)

purl	pkg:composer/oro/commerce@4.2.6

Next non-vulnerable version	5.0.0-alpha.1
Latest non-vulnerable version	5.1.1
Risk

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-kbbs-tmyt-nqg3 Aliases: CVE-2023-32064 GHSA-8gwj-68w6-7v6c	OroCommerce Customer Portal Incorrect Customer and Customer Group Frontend Menus pages visibility Back-office users can access information about Customer and Customer User menus, bypassing ACL security restrictions due to insufficient security checks.	4.2.9 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.11 Affected by 0 other vulnerabilities. 5.1.1 Affected by 0 other vulnerabilities.
VCID-r9wd-nz64-nqfj Aliases: CVE-2022-31037 GHSA-4vf4-955g-vxp2		5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.6 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-t86v-r5mp-cqex Aliases: CVE-2023-32065 GHSA-88g2-xgh9-4ph2	OroCommerce get-totals-for-checkout API endpoint returns unwanted data Detailed Checkout totals information may be received by Checkout ID	5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.11 Affected by 0 other vulnerabilities. 5.1.1 Affected by 0 other vulnerabilities.
VCID-u8qz-p72c-pkdc Aliases: CVE-2022-35950 GHSA-2jc6-3fhj-8q84	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.	5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.11 Affected by 0 other vulnerabilities. 5.1.1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T07:43:36.369212+00:00	GitLab Importer	Affected by	VCID-kbbs-tmyt-nqg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2023-32064.yml	38.6.0
2026-06-01T07:43:27.791657+00:00	GitLab Importer	Affected by	VCID-t86v-r5mp-cqex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2023-32065.yml	38.6.0
2026-06-01T07:39:58.901413+00:00	GitLab Importer	Affected by	VCID-u8qz-p72c-pkdc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2022-35950.yml	38.6.0
2026-06-01T07:07:38.201406+00:00	GitLab Importer	Affected by	VCID-r9wd-nz64-nqfj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2022-31037.yml	38.6.0