Listen to this Post
How the CVE Works
The vulnerability is a stored Cross-Site Scripting (XSS) flaw in the Craft Commerce admin panel. It originates in the ‘Tax Rates’ management section. The ‘Name’ field for a tax rate does not undergo proper output encoding or sanitization when rendered back in the administrative interface. When an attacker with ‘Manage taxes’ permissions submits a crafted payload (like <img src=x onerror="alert(document.domain)">) into this field, it is saved to the database. Later, when an administrator views the list of tax rates, the malicious JavaScript is executed directly within their browser session, in the context of the trusted admin domain. This allows the attacker to perform any actions the admin can, such as sending forged HTTP requests to modify user permissions, steal session cookies, or present fake login forms to harvest credentials.
Platform: Craft Commerce
Version: < 5.0.13
Vulnerability: Stored XSS
Severity: Critical
date: 2024-07-23
Prediction: 2024-07-30
What Undercode Say:
curl -s https://api.craftcms.com/v1/updates | jq '.versions[] | select(.critical==true)'
<img src=x onerror="fetch('/admin/users/ATTACKER_ID/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&admin=1`})">
How Exploit:
- Attacker with ‘Manage taxes’ access logs into admin panel.
- Navigates to Commerce -> Store Management -> Tax Rates.
- Creates a new tax rate with malicious JavaScript in the ‘Name’ field.
4. Saves the tax rate.
5. Administrator views the tax rates list.
- Payload executes in admin’s browser, performing privileged actions (e.g., granting admin rights to the attacker’s account).
Protection from this CVE
Update to Craft Commerce 5.0.13 or later. Implement strict Content Security Policy (CSP). Sanitize all user-controlled input before output in HTML context.
Impact:
Full admin account takeover, credential theft, site defacement, data manipulation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

