Craft Commerce Stored Cross-Site Scripting Vulnerability in Shipping Methods Name Field

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The problem arises because the Shipping Methods Name field in the Store Management section does not undergo proper sanitization before the content is displayed in the admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's browser. This could lead to unauthorized actions being performed on behalf of the admin or potentially allow for privilege escalation, as demonstrated in a proof of concept.

Reproduction

To reproduce this vulnerability, log into the Craft CMS admin panel with an account that has permissions to manage store settings and shipping. Once logged in, navigate to the Shipping Methods section under Store Management. Create a new shipping method and enter a payload, such as an image tag with an error event, into the Name field. After saving, the injected JavaScript will execute, confirming the XSS vulnerability. For privilege escalation, the same steps can be followed, but with a payload designed to elevate the attacker's permissions to that of an admin, taking advantage of an active elevated session.

Remediation

Users can update to Craft Commerce version 5.5.2, where this vulnerability has been patched.