VulnerableCode Package Details - pkg:composer/oro/commerce@4.2.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-c6p9-j755-5bd9 Aliases: CVE-2023-32065 GHSA-88g2-xgh9-4ph2		5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.11 Affected by 0 other vulnerabilities. 5.1.1 Affected by 0 other vulnerabilities.
VCID-rpak-hkk6-jyb9 Aliases: CVE-2022-31037 GHSA-4vf4-955g-vxp2	OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.	5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.6 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-s3nf-431k-kkf4 Aliases: CVE-2022-35950 GHSA-2jc6-3fhj-8q84	OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.	5.0.0-alpha.1 Affected by 0 other vulnerabilities. 5.0.11 Affected by 0 other vulnerabilities. 5.1.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-c6p9-j755-5bd9
Aliases:
CVE-2023-32065
GHSA-88g2-xgh9-4ph2

5.0.0-alpha.1
Affected by 0 other vulnerabilities.

5.0.11
Affected by 0 other vulnerabilities.

5.1.1
Affected by 0 other vulnerabilities.

VCID-rpak-hkk6-jyb9
Aliases:
CVE-2022-31037
GHSA-4vf4-955g-vxp2

OroCommerce is an open-source Business to Business Commerce application. Versions between 4.1.0 and 4.1.17 inclusive, 4.2.0 and 4.2.11 inclusive, and between 5.0.0 and 5.0.3 inclusive, are vulnerable to Cross-site Scripting in the UPS Surcharge field of the Shipping rule edit page. The attacker needs permission to create or edit a shipping rule. This issue has been patched in version 5.0.6. There are no known workarounds.

5.0.0-alpha.1
Affected by 0 other vulnerabilities.

5.0.4
Affected by 3 other vulnerabilities.

5.0.6
Affected by 3 other vulnerabilities.

VCID-s3nf-431k-kkf4
Aliases:
CVE-2022-35950
GHSA-2jc6-3fhj-8q84

OroCommerce is an open-source Business to Business Commerce application. In versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1, the JS payload added to the product name may be executed at the storefront when adding a note to the shopping list line item containing a vulnerable product. An attacker should be able to edit a product in the admin area and force a user to add this product to Shopping List and click add a note for it. Versions 5.0.11 and 5.1.1 contain a fix for this issue.

5.0.0-alpha.1
Affected by 0 other vulnerabilities.

5.0.11
Affected by 0 other vulnerabilities.

5.1.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hhjw-9b8t-qbbb		CVE-2023-32064 GHSA-8gwj-68w6-7v6c

Vulnerability

Summary

Aliases

VCID-hhjw-9b8t-qbbb

CVE-2023-32064
GHSA-8gwj-68w6-7v6c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T19:12:06.422689+00:00	GitLab Importer	Affected by	VCID-c6p9-j755-5bd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2023-32065.yml	38.6.0
2026-06-12T19:07:39.543151+00:00	GitLab Importer	Affected by	VCID-s3nf-431k-kkf4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2022-35950.yml	38.6.0
2026-06-12T18:36:37.953537+00:00	GitLab Importer	Affected by	VCID-rpak-hkk6-jyb9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2022-31037.yml	38.6.0
2026-06-12T15:47:34.428062+00:00	GitLab Importer	Fixing	VCID-hhjw-9b8t-qbbb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/oro/commerce/CVE-2023-32064.yml	38.6.0