CVE-2022-50941

Vulnerability

Overview BootCommerce 3.2.1 contains persistent input validation vulnerabilities in the guest order checkout process. The application does not properly validate or sanitize user-supplied input in checkout fields, allowing remote attackers to inject arbitrary JavaScript or HTML code. This flaw is classified as a persistent (stored) cross-site scripting (XSS) vulnerability [1][2].

Exploitation

Prerequisites An attacker can exploit this vulnerability without requiring prior authentication, as the checkout process is accessible to guest users. The attack vector is remote, and only low user interaction is needed—for example, a victim administrator or other user viewing the affected order records. The injected script is stored on the server and executed when the stored data is rendered in a browser [1].

Impact

Successful exploitation enables an attacker to execute arbitrary script code in the context of the victim's session. This can lead to session hijacking, phishing attacks, and manipulation of application modules. The CVSS v3 score is 6.4 (Medium), reflecting the potential for significant confidentiality and integrity impact without requiring high privileges [2].

Mitigation

The vendor was notified in August 2021, and a fix was reportedly developed. Users should upgrade to a patched version of BootCommerce. No workaround is documented; applying the vendor's patch is recommended [1].