← back
CVE-2023-32065

OroCommerce get-totals-for-checkout API endpoint returns unwanted data

CVSS 5.8 MEDIUMEPSS 0.5%CWE-284
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.8EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
28 Nov 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
OroCommerce is an open-source Business to Business Commerce application built with flexibility in mind. Detailed Order totals information may be received by Order ID. This issue is patched in version 5.0.11 and 5.1.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected products
oroinc · orocommerce

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/oroinc/orocommerce/security/advisories/GHSA-88g2-xgh9-4ph2