Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce, an open-source e-commerce platform, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability. The flaw exists in the handling of the orders_status_groups_name[1] parameter, where user input is not properly sanitized before being stored and later rendered in the admin interface. This affects versions prior to the fix (if any). The advisory [2] indicates multiple XSS issues in the platform.

Exploitation

An attacker with administrative access to the Os Commerce backend can inject arbitrary JavaScript code via the orders_status_groups_name[1] parameter. The injected script is stored and executed when other administrators view the affected page. No user interaction beyond normal browsing is required for the victim.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data. The attack targets administrative users, potentially compromising the entire e-commerce store.

Mitigation

As of the publication date (2023-09-30), no official patch has been released. Users should monitor the Os Commerce website [1] for updates. In the absence of a fix, input validation and output encoding should be applied to the vulnerable parameter. The advisory [2] recommends general XSS prevention measures.