Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce (versions prior to the fix) is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the /admin/admin-menu/add-submit endpoint. The title parameter is not properly sanitized, allowing an attacker to inject arbitrary JavaScript. The vulnerability is accessible in the admin panel and does not require unusual configuration, only a valid admin session to reach the endpoint [2].

Exploitation

An attacker must first obtain a valid admin session, then send a crafted request to /admin/admin-menu/add-submit with a malicious payload in the title parameter. The payload is stored and later executed when an administrator views the affected menu item. No other user interaction is required beyond the admin victim loading the page [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an administrator's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The attack compromises the confidentiality and integrity of the admin interface [1][2].

Mitigation

As of the publication date, no official patch or updated version from Os Commerce is documented in the provided references. The vendor website [1] does not mention a fix. Users should monitor for updates and consider applying input sanitization and output encoding on the title parameter as a workaround [2].