Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the /admin/modules/save?set=payment endpoint. The configuration_title[1] parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript. This affects all versions of the platform prior to the fix referenced in the advisory [2].

Exploitation

An attacker must have administrative access to the Os Commerce admin panel. By sending a crafted POST request to /admin/modules/save?set=payment with a malicious payload in the configuration_title[1] parameter, the injected script is stored on the server and later executed when an administrator visits the affected page. No user interaction beyond the administrator viewing the page is required for the stored script to execute [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin browser session. This can lead to session hijacking, credential theft, defacement, or other actions that compromise the confidentiality and integrity of the application [1][2].

Mitigation

The vendor, Os Commerce, has not released a public patch at the time of this writing. Administrators should restrict access to the admin panel to trusted users, apply input validation and output encoding for the configuration_title[1] parameter, and monitor the vendor's website (https://www.oscommerce.com/) for a security update [1][2].