Craft Commerce, Stored Cross-Site Scripting, CVE-2023-XXXX (Critical)

Listen to this Post

This vulnerability operates due to insufficient server-side input sanitization and output encoding within the Craft Commerce admin panel. Specifically, the ‘Name’ and ‘Description’ fields for creating a Shipping Zone in the Store Management section do not properly neutralize or escape user-controlled HTML and JavaScript input. When a malicious actor with ‘Manage shipping’ permissions submits a crafted payload (like an HTML `img` element with an `onerror` event handler), the payload is stored in the database. Subsequently, when an administrator views the list of Shipping Zones, the malicious payload is rendered directly into the Document Object Model (DOM) of the admin panel page. The browser interprets the injected script as legitimate code part of the trusted application, executing it within the security context (origin) of the admin panel. This allows the attacker-defined JavaScript to run with the privileges of the viewing administrator, enabling session hijacking, forced requests to internal API endpoints (like permission changes), and the theft of sensitive data or credentials.
Platform: Craft CMS Commerce
Version: < 4.0.0-beta.2
Vulnerability: Stored XSS
Severity: Critical
date: 2023-10-26

Prediction: Patched 2023-10-26

What Undercode Say:

curl -X POST 'https://target.tld/admin/users/ATTACKER_ID/permissions' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d "CRAFT_CSRF_TOKEN=${STOLEN_TOKEN}&userId=ATTACKER_ID&admin=1"
<img src=x onerror="fetch('/admin/users/123/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=123&admin=1`,headers:{'content-type':'application/x-www-form-urlencoded'}})">

How Exploit:

1. Attacker with shipping permissions logs in.

  1. Creates/edits a Shipping Zone with malicious XSS payload.

3. Administrator views Shipping Zones list.

4. Payload auto-executes in admin context.

  1. Payload sends forged POST request to elevate attacker privileges.

Protection from this CVE:

  • Update to patched version.
  • Implement strict output encoding.
  • Enforce Content Security Policy.
  • Sanitize all user-input fields.

Impact:

  • Full administrator account compromise.
  • Credential theft via fake login.
  • Complete store data manipulation.
  • Application integrity breach.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top