Cross-site Scripting (XSS) - Stored in friends-of-forkcms/fork-cms-module-commerce

Valid

Reported on

Dec 20th 2021

Description

In the admin section in Commerce -> Shop settings -> Stock statuses -> Edit stock statuses one can add XSS payloads. After adding XSS payloads when a user is visiting Commerce -> Shop settings -> Stock statuses the JavaScript code will be run.

Proof of Concept

Go to Commerce -> Shop settings -> Stock statuses -> Edit stock statuses and add XSS, e.g.

Available<script>alert(1);</script>

Impact

Running JavaScript code.

We are processing your report and will contact the friends-of-forkcms/fork-cms-module-commerce team within 24 hours. a year ago
We have contacted a member of the friends-of-forkcms/fork-cms-module-commerce team and are waiting to hear back a year ago
We have sent a follow up to the friends-of-forkcms/fork-cms-module-commerce team. We will try again in 7 days. a year ago
We have sent a second follow up to the friends-of-forkcms/fork-cms-module-commerce team. We will try again in 10 days. a year ago
friends-of-forkcms/fork-cms-module-commerce maintainer validated this vulnerability a year ago
kstarkloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jesse
a year ago

Thank you for this vulnerability report @starkitsec.

This module is still pretty new and a work in progress (not used in projects yet) so there's probably more issue like these. The issue seems to be limited to the admin part. I found an issue in both the datagrid representation and the alerts on the edit page. I properly escaped the values in my upcoming fix, for all other places in the code that are affected.

Jesse Dobbelaere submitted a
patch
a year ago
Jesse Dobbelaere marked this as fixed with commit 485146 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation