Os Commerce 4.12.56860 - Cross Site Scripting Reflected (XSS)

Vulnerability

Os Commerce is susceptible to a Cross-Site Scripting (XSS) vulnerability through the tax_class_title parameter. This parameter is not properly sanitized, allowing attackers to inject malicious JavaScript code. The vulnerability affects Os Commerce installations without a specified version range, but it is present in the current release as of September 2023 [2].

Exploitation

An attacker must have administrative access to the Os Commerce backend to modify the tax_class_title parameter. The injected script is stored and executed when a user loads the affected page, potentially triggering actions such as session hijacking or data exfiltration. No user interaction beyond viewing the page is required [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's browser. This can lead to unauthorized actions, sensitive data disclosure, or further compromise of the application. The impact is limited to the admin interface but can have severe consequences [2].

Mitigation

No official patch or fixed version has been released by Os Commerce as of the publication date. Administrators should manually sanitize the tax_class_title parameter and monitor for updates. Input validation and output encoding are recommended as interim measures [2].