Craft Commerce Stored Cross-Site Scripting Vulnerability in Inventory Management Page

A stored cross-site scripting vulnerability has been identified in Craft Commerce versions 5.0.0 prior to 5.5.3. The issue arises on the Commerce Inventory page, where the Product Title, Variant Title, and Variant SKU fields are displayed without adequate HTML escaping. This flaw allows an attacker to execute arbitrary JavaScript when any user, including administrators, views the inventory management page. The vulnerability could lead to session hijacking by extracting unmasked session cookie values.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, with the injected script executing in the context of the user viewing the inventory page. This could be exploited to hijack the user's session by stealing session cookies, including those for administrative accounts.

Reproduction

To reproduce this vulnerability, log into the Craft CMS control panel and navigate to the Commerce Products section. Create a new product and enter a malicious script into the Product Title, Variant Title, or Variant SKU fields. Save the product, then go to the Commerce Inventory page where the injected script will execute, fetching the PHP Info page and exfiltrating session cookies to an external server.

Remediation

Users can update to Craft Commerce version 5.5.3 or later, where this vulnerability has been fixed.