CVE-2024-41141

CVE-2024-41141

Analysis

A stored cross-site scripting (XSS) vulnerability exists in the OAuth Management feature of the EC-CUBE Web API Plugin [1][2]. The root cause is insufficient sanitization of user-controlled input when rendering shop names in OAuth confirmation screens [2]. Specifically, the template uses the Twig |escape filter, but it was missing on the BaseInfo.shop_name output, allowing an attacker to inject arbitrary HTML/JavaScript [2].

Exploitation requires that an authenticated user with administrative privileges on the OAuth Management page inputs a crafted value [1]. The malicious payload is then stored and executed when any other user (who also has access to the management page) loads the affected OAuth confirmation screen [1]. No special network position is required beyond being able to reach the EC-CUBE admin interface.

Successful exploitation allows an attacker to execute arbitrary scripts in the context of another administrator's web browser session [1]. This can lead to session hijacking, manipulation of admin actions, or exfiltration of sensitive data visible in the management interface. The CVSS v3 score is 6.1 (Medium) due to high privileges required but the ability to affect other users [1].

EC-CUBE CO.,LTD. has released updated versions of the plugin: for EC-CUBE 4.0/4.1 series, version 2.1.4 or later; for EC-CUBE 4.2 series, version 4.2.4 or later [1]. The fix adds proper escaping of the shop name variable in the OAuth template [2]. Users are advised to update to the latest version to remediate the vulnerability.