GHSA-v585-mf6r-rqrc

Описание

Summary

A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel.

Proof of Concept

Requirments

• General permissions:
  • Access the control panel
  • Access Craft Commerce
• Craft Commerce permissions:
  • Manage store settings
  • Manage taxes
• An active administrator elevated session

Steps to Reproduce

1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.
2. Navigate to Commerce -> Store Management -> Tax Zones (/admin/commerce/store-management/primary/taxzones).
3. Create a new tax zone.
4. In the Name or Description field, enter the following payload:

4. Click Save and you’ll be redirected back to the previous page.
5. Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

1. Do the same steps above, but replace the payload with a malicious one.
2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with your attacker id:

4. In another browser, log in as an admin & go to the vulnerable page (tax zones page).
5. Go back to your attacker account & notice you are now an admin.

The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.

Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.

References:

https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee