Craft Commerce Stored Cross-Site Scripting Vulnerability in Product Type Names

A stored cross-site scripting vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects Craft Commerce versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability arises because Product Type names are not properly sanitized before being displayed in the user permissions settings. Exploitation of this vulnerability requires admin access to edit Commerce settings.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected Product Type in the permissions settings.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the Product Types settings in Commerce. Create a new Product Type and enter a name that includes a script, such as an image tag with an 'onerror' event. After saving the Product Type, go to the user permissions tab for any user. The alert from the injected script will trigger as soon as the Product Type checkbox is rendered.

Remediation

Users are advised to update Craft Commerce to version 4.10.1 or 5.5.2, both of which include the necessary patch.