Craft Commerce Stored Cross-Site Scripting Vulnerability in Order Details
Vulnerability
A stored cross-site scripting vulnerability has been identified in Craft Commerce versions 4.0.0 prior to 4.10.2 and 5.0.0 prior to 5.5.3. The issue arises in the order details slideout, where malicious JavaScript can be injected through the Shipping Method Name, Order Reference, or Site Name. When the order details are accessed by double-clicking on the order in the index page, the injected script executes.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the order details.
Reproduction
To reproduce this vulnerability, first create a new shipping method and inject an XSS payload, such as an image tag with an 'onerror' event. After saving the shipping method, place a new order or edit an existing one, selecting the shipping method that was just created. Finally, navigate to the orders index page and double-click on the order to open the details slideout, where the injected script will execute.
Remediation
Users can update to Craft Commerce versions 4.10.2 or 5.5.3 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.