Cross-site Scripting (XSS) - Stored in friends-of-forkcms/fork-cms-module-commerce

Valid

Reported on

Dec 20th 2021


Description

In the admin section in Commerce -> Shop settings -> Stock statuses -> Edit stock statuses one can add XSS payloads. After adding XSS payloads when a user is visiting Commerce -> Shop settings -> Stock statuses the JavaScript code will be run.

Proof of Concept

Go to Commerce -> Shop settings -> Stock statuses -> Edit stock statuses and add XSS, e.g.

Available<script>alert(1);</script>

Impact

Running JavaScript code.

We are processing your report and will contact the friends-of-forkcms/fork-cms-module-commerce team within 24 hours. a month ago
We have contacted a member of the friends-of-forkcms/fork-cms-module-commerce team and are waiting to hear back a month ago
We have sent a follow up to the friends-of-forkcms/fork-cms-module-commerce team. We will try again in 7 days. a month ago
We have sent a second follow up to the friends-of-forkcms/fork-cms-module-commerce team. We will try again in 10 days. a month ago
friends-of-forkcms/fork-cms-module-commerce maintainer validated this vulnerability a month ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jesse
a month ago

Maintainer


Thank you for this vulnerability report @starkitsec.

This module is still pretty new and a work in progress (not used in projects yet) so there's probably more issue like these. The issue seems to be limited to the admin part. I found an issue in both the datagrid representation and the alerts on the edit page. I properly escaped the values in my upcoming fix, for all other places in the code that are affected.

a month ago
Jesse Dobbelaere confirmed that a fix has been merged on 485146 a month ago
The fix bounty has been dropped