Os Commerce - Cross Site Scripting Stored (XSS)

NameOs Commerce 4.12.56860 - Cross Site Scripting (XSS)
Code name
ProductOs Commerce
Affected versions4.12.56860
Release date2023-09-29



Os Commerce is an e-commerce platform that enables businesses to create online stores and manage product listings, orders, and more. It offers various features to streamline online selling.


Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into specific parameters of the application, potentially leading to unauthorized script execution within a user's web browser.

Exploiting XSS (Cross Site Scripting) vulnerabilities can have severe consequences for web applications and their users. This type of vulnerability occurs when input data from users is not properly validated and sanitized, allowing malicious actors to inject scripts that can be executed by other users visiting the same web page.


In this scenario, we have identified several URLs and their corresponding vulnerable parameters, each of which can be manipulated to execute a common malicious payload:


In the following endpoints, the payload is executable, and we provide the affected URLs and parameters.

Here's a brief explanation of each of the vulnerable URLs and parameters:

  1. CVE-2023-43702: /admin/orders/tracking-save - Vulnerable Parameter: tracking_number
  2. CVE-2023-43703: /admin/editor/show-basket?orders_id=4& currentCart=cart%7C1-35025&uprid=29&action=edit_product - Vulnerable Parameter: product_info[][name] -
  3. CVE-2023-43704: /admin/design/theme-title - Vulnerable Parameter: title
  4. CVE-2023-43705: /admin/texts/submit?translation_key=%23%23BILLING_ADDRESS %23%23&translation_entity=keys&row=0 - Vulnerable Parameter: translation_value[1]
  5. CVE-2023-43706: /admin/email/templates-save - Vulnerable Parameter: email_templates_key
  6. CVE-2023-43707: /admin/catalog-pages/edit?id=0&platform_id=1&parent_id=0 - Vulnerable Parameter: CatalogsPageDescriptionForm[1][name]
  7. CVE-2023-43708: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
  8. CVE-2023-43709: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
  9. CVE-2023-43710: /admin/modules/save?set=shipping - Vulnerable Parameter: configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]
  10. CVE-2023-43711: /admin/adminmembers/adminsubmit - Vulnerable Parameter: admin_firstname
  11. CVE-2023-43712: /admin/adminfiles/submit - Vulnerable Parameter: access_levels_name
  12. CVE-2023-43713: /admin/admin-menu/add-submit - Vulnerable Parameter: title
  13. CVE-2023-43714: /admin/configuration/saveparam - Vulnerable Parameter: SKIP_CART_PAGE_TITLE[1]
  14. CVE-2023-43715: /admin/configuration/saveparam - Vulnerable Parameter: ENTRY_FIRST_NAME_MIN_LENGTH_TITLE[1]
  15. CVE-2023-43716: /admin/configuration/saveparam - Vulnerable Parameter: MAX_DISPLAY_NEW_PRODUCTS_TITLE[1]
  16. CVE-2023-43717: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]
  17. CVE-2023-43718: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_ENABLE_TITLE[1]
  18. CVE-2023-43719: /admin/configuration/saveparam - Vulnerable Parameter: SHIPPING_GENDER_TITLE[1]
  19. CVE-2023-43720: /admin/configuration/saveparam - Vulnerable Parameter: BILLING_GENDER_TITLE[1]
  20. CVE-2023-43721: /admin/configuration/saveparam - Vulnerable Parameter: PACKING_SLIPS_SUMMARY_TITLE[1]
  21. CVE-2023-43722: /admin/orders_status_groups/save? orders_status_groups_id=5 - Vulnerable Parameter: orders_status_groups_name[1]
  22. CVE-2023-43723: /admin/orders_status/save?type_id=2 - Vulnerable Parameter: orders_status_name[1]
  23. CVE-2023-43724: /admin/orders-comment-template/edit - Vulnerable Parameter: derb6zmklgtjuhh2cn5chn2qjbm2st gmfa4.oastify.comscription[1][name]
  24. CVE-2023-43725: /admin/orders_products_status/save? orders_products_status_id=50 - Vulnerable Parameter: orders_products_status_name_long[1]
  25. CVE-2023-43726: /admin/orders_products_status_manual/save? orders_products_status_manual_id=0 - Vulnerable Parameter: orders_products_status_manual_name_long[1]
  26. CVE-2023-43727: /admin/stock-indication/save? stock_indication_id=11 - Vulnerable Parameter: stock_indication_text%5B1%5D
  27. CVE-2023-43728: /admin/stock-delivery-terms/save? stock_delivery_terms_id=1 - Vulnerable Parameter: stock_delivery_terms_text%5B1%5
  28. CVE-2023-43729: /admin/xsell-types/save?xsell_type_id=0 - Vulnerable Parameter: xsell_type_name%5B1%5D
  29. CVE-2023-43730: /admin/countries/save?countries_id=0 - Vulnerable Parameter: countries_name[1]
  30. CVE-2023-43731: /admin/zones/save?zones_id=0 - Vulnerable Parameter: zone_name
  31. CVE-2023-43732: /admin/tax_classes/save?tax_classes_id=0 - Vulnerable Parameter: tax_class_title
  32. CVE-2023-43733: /admin/tax_rates/save?tax_rates_id=13 - Vulnerable Parameter: company_address
  33. CVE-2023-43734: /admin/languages/save?languages_id=2&action=save - Vulnerable Parameter: name
  34. CVE-2023-43735: /admin/address-formats/index - Vulnerable Parameter: formats_titles[7]
  35. CVE-2023-5111: /admin/featured-types/save?featured_type_id=0 - Vulnerable Parameter: featured_type_name[1]
  36. CVE-2023-5112: /admin/specials-types/save?specials_type_id=0 - Vulnerable Parameter: specials_type_name[1]

To exploit these vulnerabilities, an attacker would simply need to modify the respective parameter with the provided payload:


This payload triggers the execution of malicious scripts when the affected URLs are accessed.

Evidence of exploitation

The same behavior repeats across the previously mentioned URLs and parameters. You only need to inject the payload into the affected parameters or fields, and it will be executed.

Our security policy

We have reserved those IDs: CVE-2023-43702, CVE-2023-43703, CVE-2023-43704, CVE-2023-43705, CVE-2023-43706, CVE-2023-43707, CVE-2023-43708, CVE-2023-43709, CVE-2023-43710, CVE-2023-43711, CVE-2023-43712, CVE-2023-43713, CVE-2023-43714, CVE-2023-43715, CVE-2023-43716, CVE-2023-43717, CVE-2023-43718, CVE-2023-43719, CVE-2023-43720, CVE-2023-43721, CVE-2023-43722, CVE-2023-43723, CVE-2023-43724, CVE-2023-43725, CVE-2023-43726, CVE-2023-43727, CVE-2023-43728, CVE-2023-43729, CVE-2023-43730, CVE-2023-43731, CVE-2023-43732, CVE-2023-43733, CVE-2023-43734, CVE-2023-43735, CVE-2023-5111, CVE-2023-5112

to refer to this issue from now on.

System Information

  • Version: Os Commerce 4.12.56860

  • Operating System: Windows


There is currently no patch available for this vulnerability.


The vulnerability was discovered by Takao Sato from Fluid Attacks' Offensive Team.


Vendor page https://www.oscommerce.com




Vulnerability discovered.



Vendor contacted.



Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.