BootCommerce Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in BootCommerce version 3.2.1. This vulnerability allows remote attackers to inject malicious scripts into guest order checkout input fields. The unvalidated input can be exploited to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and manipulation of application modules. The vulnerability arises from improper input validation in the billing and shipping address fields during the checkout process.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to session hijacking and unauthorized actions within the application.

Reproduction

To reproduce this vulnerability, place an order as a guest user and inject a script payload into the billing or shipping address fields. Once the order is processed, the injected script will execute in the order summary and can also be triggered in the backend when an administrator previews the order.