Craft Commerce Stored Cross-Site Scripting Vulnerability in Tax Categories

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The issue arises because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's browser. This could lead to unauthorized actions being performed on behalf of the admin, especially if combined with social engineering tactics.

Reproduction

To reproduce this vulnerability, log into the Craft CMS Admin Panel with an account that has permissions to manage store settings and taxes. Navigate to 'Commerce' -> 'Store Management' -> 'Tax Categories'. Create a new tax category and enter a payload, such as an image tag with an 'onerror' event, in the Name or Description field. After saving, the injected JavaScript will execute, demonstrating the XSS vulnerability. For privilege escalation, the same steps can be followed, but with a payload designed to elevate the attacker's permissions to admin, taking advantage of an active elevated session.

Remediation

Users can update to Craft Commerce versions 4.10.1 or 5.5.2, where this vulnerability has been patched.