[oro/commerce] OroCommerce Cross site scripting vulnerability during shipping rule editing for UPS integration

Impact

Shipping rule edit page is vulnerable to cross site scripting (XSS) payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule.

References

• https://github.com/oroinc/orocommerce/security/advisories/GHSA-4vf4-955g-vxp2
• https://nvd.nist.gov/vuln/detail/CVE-2022-31037
• https://github.com/advisories/GHSA-4vf4-955g-vxp2