Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

OsCommerce, an open-source e-commerce platform, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability through the BILLING_GENDER_TITLE[1] parameter. This flaw exists in the admin panel's text management functionality, specifically when processing translation values. The vulnerability affects versions prior to the fix released in response to this disclosure [2].

Exploitation

An attacker with administrative access to the OsCommerce admin panel can inject a malicious JavaScript payload into the BILLING_GENDER_TITLE[1] parameter, for example via the endpoint /admin/texts/submit?translation_key=%23%23BILLING_ADDRESS%23%23&translation_entity=keys&row=0. When other administrators or users view the affected page, the injected script executes in their browser. No user interaction beyond viewing the page is required for the payload to fire [2].

Impact

Successful exploitation leads to persistent script execution within the context of the affected admin session. An attacker can steal session cookies, perform unauthorized actions, deface pages, or redirect users to malicious sites. Because the stored XSS persists in the application, every visit to the compromised page triggers the payload, affecting all users with access to that area [2].

Mitigation

The vendor, osCommerce, has not yet released a public patch or advisory as of the publication date. Users should sanitize all user-supplied input, specifically the BILLING_GENDER_TITLE[1] parameter, by implementing proper output encoding and validation. Until a fix is available, restrict admin panel access to trusted users only [1][2].