Craft Commerce Stored Cross-Site Scripting Vulnerability in Tax Zones

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The issue arises because the Name and Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected Tax Zone.

Reproduction

To reproduce this vulnerability, log into the Craft CMS admin panel with an account that has permissions to manage store settings and taxes. Navigate to 'Commerce' -> 'Store Management' -> 'Tax Zones'. Create a new tax zone and enter a payload, such as an image tag with an error event, into the Name or Description field. After saving, the injected script will execute, demonstrating the cross-site scripting vulnerability. Additionally, this vulnerability can be exploited to escalate privileges to an administrator by injecting a payload that modifies user permissions, taking advantage of an active elevated session.

Remediation

Users can update to Craft Commerce versions 4.10.1 or 5.5.2, both of which include the necessary fix for this vulnerability.