Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

OsCommerce, a free shopping cart and eCommerce platform [1], is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the stock_indication_text[1] parameter, which is not properly sanitized, allowing an attacker to inject arbitrary JavaScript. This affects versions of OsCommerce up to the publication date (2023-09-30) [2].

Exploitation

To exploit this vulnerability, an attacker must have authenticated access as an admin user with privileges to manage stock indications. The attacker can craft a malicious payload in the stock_indication_text[1] parameter, which will be stored and executed in the browsers of other admin users who view the affected page [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of an admin user's session. This can lead to session hijacking, defacement, data theft, or further compromise of the admin account and the underlying application [2].

Mitigation

As of the publication date, no official patch has been released by OsCommerce [2]. Mitigation measures include implementing proper input validation and output encoding for the stock_indication_text[1] parameter, using Content Security Policy (CSP) headers, and restricting admin access to trusted users only. Monitor vendor advisories for future updates.