Craft Commerce Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The problem arises because the 'Address Line 1' field in Inventory Locations is not properly sanitized before being displayed in the admin panel. Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of the administrator.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the victim's browser. This could be used to steal cookies, session tokens, or perform actions as the victim. In this case, it could also lead to privilege escalation, allowing an attacker to gain administrative rights on the Craft Commerce platform.

Reproduction

To reproduce this vulnerability, log into the admin panel with an account that has permissions to manage inventory locations. Navigate to 'Commerce' -> 'Inventory Locations' and select a location to edit. In the 'Address Line 1' field, enter a script payload, such as an image tag with an 'onerror' event. Save the changes and return to the inventory locations page, where the JavaScript execution can be observed. To escalate privileges, the same steps can be followed, but with a payload designed to elevate the attacker's account to admin status, taking advantage of an active elevated session.

Remediation

Users can update to Craft Commerce versions 4.10.1 or 5.5.2, both of which include the necessary patch to address this vulnerability.