Craft Commerce Stored Cross-Site Scripting Vulnerability in Inventory Locations

A stored cross-site scripting (XSS) vulnerability has been identified in Craft Commerce versions 5.0.0 prior to 5.5.3. The issue arises on the Inventory Locations page within the Commerce Settings, where the Name field is not properly HTML-escaped. This flaw allows an attacker to inject and execute arbitrary JavaScript. The XSS is triggered when an administrator or a user with product editing permissions creates or modifies a variant product.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page. This could lead to session hijacking, database exfiltration, account takeover, privilege escalation, or the creation of new admin users.

Reproduction

To reproduce this vulnerability, log into the Craft CMS control panel and navigate to 'Commerce → Inventory Locations'. Create or edit a location and enter a payload, such as an image tag with an 'onerror' event, into the Name field. After saving the location, go to 'Commerce → Products', create a new product variant, and the injected script will execute when the Inventory Location table loads.

Remediation

Users can update to Craft Commerce version 5.5.3 or later, where this vulnerability has been patched.