Wiz
Vulnerability DatabaseCVE-2022-31037

CVE-2022-31037
PHP vulnerability analysis and mitigation

Overview

A Cross-site Scripting (XSS) vulnerability was discovered in OroCommerce versions between 4.1.0 and 4.1.17, 4.2.0 and 4.2.11, and 5.0.0 and 5.0.3. The vulnerability exists in the UPS Surcharge field during shipping rule editing (GHSA Advisory, NVD).

Technical details

The vulnerability allows for Cross-site Scripting attacks through the UPS Surcharge field in the shipping rule edit page. The issue has a CVSS v3.1 base score of 6.9 (Moderate severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N. This indicates network attack vector, low attack complexity, high privileges required, user interaction required, changed scope, high confidentiality impact, low integrity impact, and no availability impact (GHSA Advisory).

Impact

The vulnerability could allow an attacker with permissions to create or edit shipping rules to execute malicious scripts through the UPS Surcharge field, potentially compromising data confidentiality and integrity (GHSA Advisory).

Mitigation and workarounds

The vulnerability has been patched in version 5.0.6. Users are advised to upgrade to this version or later to address the security issue (GHSA Advisory).

Additional resources

SourceThis report was generated using AI

Related PHP vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65854CRITICAL9.8
  • PHPPHP
  • mineadmin/mineadmin
NoNoDec 12, 2025
CVE-2024-58303HIGH8.6
  • PHPPHP
  • fof/pretty-mail
NoNoDec 11, 2025
CVE-2025-67719HIGH8.5
  • PHPPHP
  • ibexa/user
NoYesDec 11, 2025
CVE-2025-67648HIGH7.1
  • PHPPHP
  • shopware/shopware
NoYesDec 11, 2025
CVE-2025-67737LOW3.1
  • PHPPHP
  • azuracast/azuracast
NoYesDec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo