Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce, an e-commerce platform, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the /admin/stock-delivery-terms/save endpoint, where the stock_delivery_terms_text[1] parameter is not properly sanitized, allowing injection of arbitrary JavaScript. This affects versions prior to any fix. [2]

Exploitation

An attacker with administrative access to the Os Commerce backend can inject a malicious script via the stock_delivery_terms_text[1] parameter when saving stock delivery terms. The injected script is stored and subsequently executed in the browsers of other admin users who view the affected page. No user interaction beyond normal admin operations is required for the stored script to execute. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, defacement, or theft of sensitive information, potentially compromising the entire e-commerce site. The impact is limited to users with admin access who view the affected page. [2]

Mitigation

As of the publication date (2023-09-30), no official patch or mitigation has been disclosed by the vendor. Users should monitor the official Os Commerce website for updates and consider restricting access to the admin panel to trusted users. [1] [2]