Craft Commerce Stored Cross-Site Scripting Vulnerability in Tax Rates Name Field

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The issue arises because the 'Name' field in the Tax Rates section of Store Management is not properly sanitized before being displayed in the admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's browser.

Reproduction

To reproduce this vulnerability, log into the admin panel with an account that has permissions to manage store settings and taxes. Navigate to the Tax Rates section under Store Management. Create a new tax rate and enter a payload, such as an image tag with an error event, in the 'Name' field. After saving, the injected script will execute, demonstrating the XSS vulnerability. Additionally, this vulnerability can be exploited for privilege escalation by injecting a payload that elevates the attacker's permissions to admin.

Remediation

Users can update to Craft Commerce versions 4.10.1 or 5.5.2, where this vulnerability has been patched.