Listen to this Post
This stored cross-site scripting (XSS) vulnerability operates within the Craft Commerce admin panel. The flaw exists in the ‘Shipping Methods Name’ field of the Store Management section. User input for this field is not subjected to adequate output encoding or sanitization before being rendered in the administrative interface. When an attacker injects a malicious payload, such as an HTML `img` element with an `onerror` JavaScript handler, it is stored persistently in the system. Subsequently, when an administrator views the shipping methods configuration page, the malicious payload is served from the trusted application domain and executed automatically in their browser session. This execution occurs with the privileges of the authenticated admin user, enabling attacks like session hijacking or forced CSRF token theft. The provided proof-of-concept payloads demonstrate direct exploitation: one steals a CSRF token and sends a forged request to grant administrator privileges to the attacker’s user ID, while another creates a convincing fake login modal to harvest credentials directly.
Platform: Craft Commerce
Version: Prior to 5.1.11
Vulnerability : Stored XSS
Severity: Critical
date: 2024-08-20
Prediction: 2024-08-27
What Undercode Say:
curl -v "https://target.com/admin/commerce/store-management/primary/shippingmethods"
<img src=x onerror="alert(document.domain)">
fetch('/admin/users/ATTACKER_ID/permissions',{method:'POST',body:<code>CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=ATTACKER_ID&admin=1&action=users/save-permissions</code>,headers:{'content-type':'application/x-www-form-urlencoded'})
How Exploit:
- Attacker with minimal access injects XSS payload into Shipping Method Name.
2. Payload stores in database.
3. Administrator loads affected admin page.
4. Malicious JavaScript executes in admin context.
- Payload steals CSRF token/elevates attacker privileges OR phishes credentials via fake overlay.
Protection from this CVE
Apply patch 5.1.11.
Implement strict output encoding.
Enforce Content Security Policy.
Sanitize all user-controllable inputs.
Impact:
Full Admin Privilege Escalation.
Complete Account Takeover.
Credential Theft.
Application Compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

