Contact us
Search
English

Os Commerce - Cross Site Scripting Stored (XSS)

NameOs Commerce 4.12.56860 - Cross Site Scripting (XSS)
Code name

BTS

ProductOs Commerce
Affected versions4.12.56860
StatePublic
Release date2023-09-29

Vulnerability

Description

Os Commerce is an e-commerce platform that enables businesses to create online stores and manage product listings, orders, and more. It offers various features to streamline online selling.

Vulnerability

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into specific parameters of the application, potentially leading to unauthorized script execution within a user's web browser.

Exploiting XSS (Cross Site Scripting) vulnerabilities can have severe consequences for web applications and their users. This type of vulnerability occurs when input data from users is not properly validated and sanitized, allowing malicious actors to inject scripts that can be executed by other users visiting the same web page.

Exploitation

In this scenario, we have identified several URLs and their corresponding vulnerable parameters, each of which can be manipulated to execute a common malicious payload:

"><script>alert(13)</script>.

In the following endpoints, the payload is executable, and we provide the affected URLs and parameters.

Here's a brief explanation of each of the vulnerable URLs and parameters:

  1. CVE-2023-43702: /admin/orders/tracking-save - Vulnerable Parameter: tracking_number
  2. CVE-2023-43703: /admin/editor/show-basket?orders_id=4& currentCart=cart%7C1-35025&uprid=29&action=edit_product - Vulnerable Parameter: product_info[][name] -
  3. CVE-2023-43704: /admin/design/theme-title - Vulnerable Parameter: title
  4. CVE-2023-43705: /admin/texts/submit?translation_key=%23%23BILLING_ADDRESS %23%23&translation_entity=keys&row=0 - Vulnerable Parameter: translation_value[1]
  5. CVE-2023-43706: /admin/email/templates-save - Vulnerable Parameter: email_templates_key
  6. CVE-2023-43707: /admin/catalog-pages/edit?id=0&platform_id=1&parent_id=0 - Vulnerable Parameter: CatalogsPageDescriptionForm[1][name]
  7. CVE-2023-43708: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
  8. CVE-2023-43709: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
  9. CVE-2023-43710: /admin/modules/save?set=shipping - Vulnerable Parameter: configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]
  10. CVE-2023-43711: /admin/adminmembers/adminsubmit - Vulnerable Parameter: admin_firstname
  11. CVE-2023-43712: /admin/adminfiles/submit - Vulnerable Parameter: access_levels_name
  12. CVE-2023-43713: /admin/admin-menu/add-submit - Vulnerable Parameter: title
  13. CVE-2023-43714: /admin/configuration/saveparam - Vulnerable Parameter: SKIP_CART_PAGE_TITLE[1]
  14. CVE-2023-43715: /admin/configuration/saveparam - Vulnerable Parameter: ENTRY_FIRST_NAME_MIN_LENGTH_TITLE[1]
  15. CVE-2023-43716: /admin/configuration/saveparam - Vulnerable Parameter: MAX_DISPLAY_NEW_PRODUCTS_TITLE[1]
  16. CVE-2023-43717: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]
  17. CVE-2023-43718: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_ENABLE_TITLE[1]
  18. CVE-2023-43719: /admin/configuration/saveparam - Vulnerable Parameter: SHIPPING_GENDER_TITLE[1]
  19. CVE-2023-43720: /admin/configuration/saveparam - Vulnerable Parameter: BILLING_GENDER_TITLE[1]
  20. CVE-2023-43721: /admin/configuration/saveparam - Vulnerable Parameter: PACKING_SLIPS_SUMMARY_TITLE[1]
  21. CVE-2023-43722: /admin/orders_status_groups/save? orders_status_groups_id=5 - Vulnerable Parameter: orders_status_groups_name[1]
  22. CVE-2023-43723: /admin/orders_status/save?type_id=2 - Vulnerable Parameter: orders_status_name[1]
  23. CVE-2023-43724: /admin/orders-comment-template/edit - Vulnerable Parameter: derb6zmklgtjuhh2cn5chn2qjbm2st gmfa4.oastify.comscription[1][name]
  24. CVE-2023-43725: /admin/orders_products_status/save? orders_products_status_id=50 - Vulnerable Parameter: orders_products_status_name_long[1]
  25. CVE-2023-43726: /admin/orders_products_status_manual/save? orders_products_status_manual_id=0 - Vulnerable Parameter: orders_products_status_manual_name_long[1]
  26. CVE-2023-43727: /admin/stock-indication/save? stock_indication_id=11 - Vulnerable Parameter: stock_indication_text%5B1%5D
  27. CVE-2023-43728: /admin/stock-delivery-terms/save? stock_delivery_terms_id=1 - Vulnerable Parameter: stock_delivery_terms_text%5B1%5
  28. CVE-2023-43729: /admin/xsell-types/save?xsell_type_id=0 - Vulnerable Parameter: xsell_type_name%5B1%5D
  29. CVE-2023-43730: /admin/countries/save?countries_id=0 - Vulnerable Parameter: countries_name[1]
  30. CVE-2023-43731: /admin/zones/save?zones_id=0 - Vulnerable Parameter: zone_name
  31. CVE-2023-43732: /admin/tax_classes/save?tax_classes_id=0 - Vulnerable Parameter: tax_class_title
  32. CVE-2023-43733: /admin/tax_rates/save?tax_rates_id=13 - Vulnerable Parameter: company_address
  33. CVE-2023-43734: /admin/languages/save?languages_id=2&action=save - Vulnerable Parameter: name
  34. CVE-2023-43735: /admin/address-formats/index - Vulnerable Parameter: formats_titles[7]
  35. CVE-2023-5111: /admin/featured-types/save?featured_type_id=0 - Vulnerable Parameter: featured_type_name[1]
  36. CVE-2023-5112: /admin/specials-types/save?specials_type_id=0 - Vulnerable Parameter: specials_type_name[1]

To exploit these vulnerabilities, an attacker would simply need to modify the respective parameter with the provided payload:

"><script>alert(13)</script>.

This payload triggers the execution of malicious scripts when the affected URLs are accessed.

Evidence of exploitation

The same behavior repeats across the previously mentioned URLs and parameters. You only need to inject the payload into the affected parameters or fields, and it will be executed.

Our security policy

We have reserved those IDs: CVE-2023-43702, CVE-2023-43703, CVE-2023-43704, CVE-2023-43705, CVE-2023-43706, CVE-2023-43707, CVE-2023-43708, CVE-2023-43709, CVE-2023-43710, CVE-2023-43711, CVE-2023-43712, CVE-2023-43713, CVE-2023-43714, CVE-2023-43715, CVE-2023-43716, CVE-2023-43717, CVE-2023-43718, CVE-2023-43719, CVE-2023-43720, CVE-2023-43721, CVE-2023-43722, CVE-2023-43723, CVE-2023-43724, CVE-2023-43725, CVE-2023-43726, CVE-2023-43727, CVE-2023-43728, CVE-2023-43729, CVE-2023-43730, CVE-2023-43731, CVE-2023-43732, CVE-2023-43733, CVE-2023-43734, CVE-2023-43735, CVE-2023-5111, CVE-2023-5112

to refer to this issue from now on.

System Information

  • Version: Os Commerce 4.12.56860

  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Takao Sato from Fluid Attacks' Offensive Team.

References

Vendor page https://www.oscommerce.com

Timeline

Time-lapse-logo

2023-09-22

Vulnerability discovered.

Time-lapse-logo

2023-09-22

Vendor contacted.

Time-lapse-logo

2023-09-29

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Service

Continuous Hacking

Platform overview

Solutions

Application security

Compliance

Systems

Testing Techniques

ASPM

SAST

DAST

MPT

MAST

SCA

CSPM

PTaaS

RE

SCR

Plans

Essential

Advanced

Resources

Blog

Learn

Advisories

Clients

Downloadables

Documentation

Company

About us

Certifications

Partners

Careers

Contact us

Ethics Hotline

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.

Service status

Terms of use

Privacy policy

Cookie policy