Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

OsCommerce, an open-source e-commerce platform, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the /admin/modules/save?set=shipping endpoint. The vulnerability resides in the configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE] parameter, which is not properly sanitized before being stored and later rendered in the admin interface. Affected versions include all releases prior to the patch date of September 2023, as indicated by the advisory from Fluid Attacks [1][2].

Exploitation

To exploit this vulnerability, an attacker must have administrative access to the OsCommerce admin panel, specifically the ability to edit shipping module settings. The attacker injects a JavaScript payload into the configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE] parameter via a POST request to the vulnerable endpoint. The payload is then stored and executed in the browsers of other admin users who view the affected configuration page, without requiring additional user interaction beyond the initial save [2].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the admin panel. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites, compromising the integrity and confidentiality of the admin interface [2].

Mitigation

The vendor, OsCommerce, has not yet released a public patch or advisory as of the publication date. Users are advised to apply input validation and output encoding for all user-supplied data in the affected parameter, restrict admin panel access to trusted users, and monitor for updates from the official OsCommerce website [1][2]. If a fix becomes available, updating to the patched version is strongly recommended.