Craft Commerce Stored DOM-Based Cross-Site Scripting Vulnerability in Recent Orders Dashboard Widget

A stored DOM-based cross-site scripting vulnerability has been identified in the Craft Commerce ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability resides in the 'Recent Orders' dashboard widget, where the Order Status Name is dynamically generated using JavaScript string concatenation without adequate escaping. This flaw enables script execution when an admin accesses the dashboard.

Impact

Exploitation of this vulnerability allows for stored DOM-based cross-site scripting, where injected scripts are executed in the context of the user viewing the dashboard.

Reproduction

To reproduce this vulnerability, log in with an admin account and navigate to the 'Order Statuses' settings. Create a new order status and enter a name that includes a malicious script, such as an image tag with an 'onerror' event. After saving the order status, go to the dashboard and add the 'Recent Orders' widget, selecting orders with the malicious status. The injected script will execute when the dashboard is viewed.

Remediation

Users should update to Craft Commerce versions 4.10.1 or 5.5.2, both of which include the necessary patch to address this vulnerability.