OroCommerce vulnerable to Cross-site Scripting via Shipping rule editing page

Vulnerability

Details OroCommerce, an open-source B2B commerce platform, is vulnerable to cross-site scripting (XSS) in the UPS Surcharge field of the Shipping rule edit page [1]. This stored XSS vulnerability affects versions 4.1.0 through 4.1.17, 4.2.0 through 4.2.11, and 5.0.0 through 5.0.3 [1]. The root cause is insufficient sanitization of user-supplied input in the UPS surcharge field [2].

Exploitation

An attacker must have permission to create or edit shipping rules, meaning they need to be an authenticated user with appropriate administrative privileges [1][2]. The attack vector is network-based and requires low complexity; no user interaction is required beyond the attacker performing the malicious input [2].

Impact

Successful exploitation allows the attacker to inject arbitrary JavaScript or HTML into the shipping rule page, which is then executed in the context of other users' browsers when they view or edit the rule. This can lead to data theft, session hijacking, or further administrative actions [2].

Mitigation

The issue has been patched in OroCommerce version 5.0.6 [1]. Users are strongly advised to upgrade. There are no known workarounds [1][2].