Cross-site Scripting (XSS) - Stored in friends-of-forkcms/fork-cms-module-commerce
Dec 20th 2021
Proof of Concept
Go to Commerce -> Shop settings -> Stock statuses -> Edit stock statuses and add XSS, e.g.
Thank you for this vulnerability report @starkitsec.
This module is still pretty new and a work in progress (not used in projects yet) so there's probably more issue like these. The issue seems to be limited to the admin part. I found an issue in both the datagrid representation and the alerts on the edit page. I properly escaped the values in my upcoming fix, for all other places in the code that are affected.