Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce is susceptible to a stored Cross-Site Scripting (XSS) vulnerability through the countries_name[1] parameter. This allows attackers to inject malicious JavaScript code that is stored and executed when other users access the affected page. The vulnerability exists in versions prior to the fix, as disclosed on the Fluid Attacks advisory [2].

Exploitation

An attacker with access to the admin panel can inject a malicious payload into the countries_name[1] parameter. The payload is then stored and executed in the browser of any user viewing the affected page. No authentication is required beyond admin privileges to trigger the injection, but the stored script affects all users including administrators.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information. The impact is limited to the admin panel's context.

Mitigation

Update to the latest version of Os Commerce as provided by the vendor. As of the publication date, no specific patch version is mentioned in the available references. Refer to the official website [1] for updates. No workarounds are documented.