Loaded Commerce Client-Side Template Injection Vulnerability

A client-side template injection vulnerability has been identified in Loaded Commerce version 6.6. This vulnerability allows unauthenticated attackers to execute code on the server by manipulating the search parameter. The issue arises from improper handling of template syntax, which can be exploited to inject and execute arbitrary code.

Impact

Exploitation of this vulnerability allows for client-side code execution on the server.

Reproduction

To reproduce this vulnerability, inject template syntax into the search parameter of the 'advanced search result' page. For example, injecting '{{7*7}}' will execute the expression and return the result, confirming the template injection. Additionally, the 'Forgot Password' page can be used to demonstrate the vulnerability by submitting '{{constructor.constructor('alert(1)')()}}' in the email field, which will trigger a JavaScript alert.