com.liferay.commerce:com.liferay.commerce.service 9.0.10 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the com.liferay.commerce:com.liferay.commerce.service package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Authorization Bypass Through User-Controlled Key Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId` parameter. An attacker can access shipment addresses belonging to other virtual instances by manipulating this parameter. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `com.liferay.commerce:com.liferay.commerce.service` to version 11.0.162 or higher.	[,11.0.162)
M Authorization Bypass Through User-Controlled Key Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the `com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId` parameter. An attacker can add notes to orders in a different virtual instance by specifying the target order's identifier. How to fix Authorization Bypass Through User-Controlled Key? Upgrade `com.liferay.commerce:com.liferay.commerce.service` to version 11.0.164 or higher.	[,11.0.164)
L Incorrect Authorization Affected versions of this package are vulnerable to Incorrect Authorization via the JSON Web Services published to OSGi. An attacker can gain unauthorized access to restricted service operations by invoking classes directly, which causes Service Access Policies to be executed. How to fix Incorrect Authorization? Upgrade `com.liferay.commerce:com.liferay.commerce.service` to version 11.0.168 or higher.	[,11.0.168)

Vulnerability

Vulnerable Version

Authorization Bypass Through User-Controlled Key

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. An attacker can access shipment addresses belonging to other virtual instances by manipulating this parameter.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade com.liferay.commerce:com.liferay.commerce.service to version 11.0.162 or higher.

[,11.0.162)

Authorization Bypass Through User-Controlled Key

Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter. An attacker can add notes to orders in a different virtual instance by specifying the target order's identifier.

How to fix Authorization Bypass Through User-Controlled Key?

Upgrade com.liferay.commerce:com.liferay.commerce.service to version 11.0.164 or higher.

[,11.0.164)

Incorrect Authorization

Affected versions of this package are vulnerable to Incorrect Authorization via the JSON Web Services published to OSGi. An attacker can gain unauthorized access to restricted service operations by invoking classes directly, which causes Service Access Policies to be executed.

How to fix Incorrect Authorization?

Upgrade com.liferay.commerce:com.liferay.commerce.service to version 11.0.168 or higher.

[,11.0.168)

com.liferay.commerce:com.liferay.commerce.service@9.0.10 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically