CubeCart Cross-Site Scripting Vulnerability in Contact Form Enquiry Field

A stored/reflected HTML injection vulnerability has been identified in CubeCart versions through 6.5.10. The issue arises in the contact form's Enquiry field, which accepts raw HTML. This unfiltered input is sent directly to the store admin via email, indicating a lack of proper input sanitization or escaping. As a result, there is a risk of Cross-Site Scripting (XSS) or HTML injection, potentially leading to exploitation in email clients or the admin user interface.

Impact

Exploitation of this vulnerability allows for the injection of HTML into emails received by the admin, which could be used for phishing attacks or to create confusion in the user interface. If the injected content is displayed in the admin panel, it could lead to persistent XSS, with the possibility of compromising an admin session, especially if the admin UI is susceptible to executing injected scripts.

Reproduction

To reproduce this vulnerability, open the Contact Us page and submit HTML, such as a header tag with a link, in the Enquiry field. The HTML will be delivered to the admin email without any sanitization, demonstrating the vulnerability.

Remediation

Users can update to CubeCart version 6.5.11 or later, where this vulnerability has been patched.