Craft Commerce Stored Cross-Site Scripting Vulnerability in Order Status History

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability resides in the Order Status History Message, which is processed using the |md filter. This filter allows raw HTML, creating an opportunity for malicious script execution. Users with database backup utility permissions can exploit this vulnerability to exfiltrate the entire database, including user credentials, customer personal information, order history, and two-factor authentication recovery codes.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the added consequence of database exfiltration. The exfiltrated database includes user credentials, customer personal information, order history, and two-factor authentication recovery codes.

Reproduction

To reproduce this vulnerability, log into the Craft Commerce admin panel and navigate to the Orders section. Create a new order and mark it as completed. Then, edit the order and change the status, which will prompt a new text field for the Status Message. Enter a crafted XSS payload that exploits the database backup utility, and save the order. After logging out and back in with an admin account, the XSS payload will execute, triggering a database backup that is exfiltrated to the attacker's server.

Remediation

Users are advised to update to Craft Commerce versions 4.10.1 or 5.5.2, both of which include a patch for this vulnerability.