Listen to this Post
The vulnerability is a stored cross-site scripting (XSS) attack in Craft Commerce’s admin interface. Specifically, the Name and Description fields within the Tax Zones management section do not undergo proper input sanitization or output encoding. When an attacker injects malicious JavaScript code into these fields, it is stored in the database and later displayed unsanitized in the admin panel. This allows the script to execute in the context of an administrator’s browser when they view the affected Tax Zones page. The payload can be crafted to perform malicious actions, such as making unauthorized HTTP requests using the administrator’s session. For example, an attacker can embed an image tag with an `onerror` event handler that triggers a `fetch` POST request to the permissions endpoint. This request can leverage the current CSRF token to grant admin privileges to the attacker’s user ID. The attack requires an elevated session, but attackers can force a logout or use social engineering, like a fake login modal overlay, to capture fresh credentials or sessions. This leads to full compromise of the admin account and potential takeover of the Craft Commerce instance.
Platform: Craft Commerce
Version: Not specified
Vulnerability: Stored XSS
Severity: Critical
Date: Unknown
Prediction: Patch expected soon
What Undercode Say:
Analytics
<img src=x onerror="alert(document.domain)">
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
How Exploit:
Inject malicious script into Tax Zones fields. Execute payload in admin browser. Escalate privileges via POST request.
Protection from this CVE
Sanitize input fields. Implement Content Security Policy. Encode output properly.
Impact:
Administrator account compromise. Privilege escalation. Credential theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

