OroCommerce Cross-site Scripting vulnerability in add note dialog of Shopping List line item

Vulnerability

Overview OroCommerce, an open-source B2B commerce application, is affected by a stored cross-site scripting (XSS) vulnerability in versions 4.1.0 through 4.1.13, 4.2.0 through 4.2.10, 5.0.0 prior to 5.0.11, and 5.1.0 prior to 5.1.1. The vulnerability resides in the handling of product names when a user adds a note to a shopping list line item. A JavaScript payload embedded in the product name is executed in the storefront context during this interaction [1][2].

Exploitation

Prerequisites An attacker must have administrative privileges to edit product names in the admin area. The attacker injects a malicious JS payload into the product name field. Subsequently, the attacker must convince a victim user (any storefront visitor) to add the crafted product to their shopping list and then click the "add a note" action for that line item. The payload then executes in the victim's browser, performing actions within the storefront's security context [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the storefront's origin, potentially leading to theft of session cookies, manipulation of page content, or other actions that the victim user can perform. The attack does not require any special privileges on the part of the victim beyond being a standard storefront user [2].

Mitigation

The issue has been addressed in OroCommerce versions 5.0.11 and 5.1.1. Users running affected versions should upgrade to these patched releases. No workarounds have been publicly documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2].