Craft Commerce Stored Cross-Site Scripting Vulnerability in Shipping Zone Fields

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce, an ecommerce platform for Craft CMS. This issue affects versions 4.0.0-RC1 prior to 4.10.0, as well as versions 5.0.0 through 5.5.1. The vulnerability allows attackers to execute malicious JavaScript in the browser of an administrator. The problem arises because the Shipping Zone Name and Description fields in the Store Management section are not properly sanitized before being displayed in the admin panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of an administrator's browser. This could lead to unauthorized actions being performed on behalf of the admin or exposure of sensitive information.

Reproduction

To reproduce this vulnerability, log into the Craft Commerce admin panel with an account that has permissions to manage store settings and shipping. Once logged in, navigate to the Shipping Zones section under Store Management. Create a new shipping zone and enter a payload, such as an image tag with an error event, in the Name field. After saving, the injected JavaScript will execute, demonstrating the cross-site scripting vulnerability. For the privilege escalation, the same steps can be followed, but with a payload designed to elevate the attacker's permissions to admin, taking advantage of an active elevated session.

Remediation

Users can update to Craft Commerce versions 4.10.1 or 5.5.2, where this vulnerability has been patched.