Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce, an e-commerce platform, is susceptible to a stored Cross-Site Scripting (XSS) vulnerability through the "zone_name" parameter. This occurs due to insufficient input sanitization, allowing attackers to inject arbitrary JavaScript. The affected versions are not explicitly listed in the available references, but the vulnerability is present in the product [2].

Exploitation

An attacker can exploit this vulnerability by submitting a crafted payload in the "zone_name" parameter, likely through admin or user-facing forms that accept this parameter. No authentication is required if the parameter is accessible to unauthenticated users, but typical exploitation may require admin-level access depending on where the parameter is processed. The injected script executes when another user views the affected page [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. The impact is limited to the browser session but can affect admin users if they view the injected content [2].

Mitigation

As of the publication date (2023-09-30), no official patch or fixed version has been announced. Users should apply input validation and output encoding for the "zone_name" parameter. Reference [2] provides general advisory details but does not specify a fix.