Configured Commerce Security Advisory - COM-2024-03

  • Updated

Brief Description:

A medium-severity input validation issue was discovered in the Commerce B2B application, affecting the Contact Us functionality. The vulnerability allowed visitors to send emails that could contain unfiltered HTML markup in specific scenarios.

Affected Versions:

All versions before 5.2.2408 (STS) and 5.2.2408 (LTS).

 

Solutions and Mitigations: 

User-provided input on the Contact Us form is now sanitized and will not render as HTML in sent emails. All input, regardless of markup, will only render as text.

For Users that Cannot Upgrade: 
If you are unable to upgrade, the following mitigations are suggested:

  • Use an email client that will block active content by default. This includes most modern email clients along with popular browser-based solutions.
  • Please be careful about any links sent via email from the Contact Us form.

 

CVSS and Severity: 

CVSS 5.9, Medium

 

CVE ID: 

CVE-2025-22383

 

Date Published: 

Dec 13, 2024