Os Commerce - Cross Site Scripting Stored (XSS)
8.5
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Os Commerce 4.12.56860 - Cross Site Scripting (XSS)
Code name
State
Public
Release date
Sep 29, 2023
Affected product
Os Commerce
Affected version(s)
4.12.56860
Vulnerability name
Cross Site Scripting Stored
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 base score
8.1
Exploit available
Yes
CVE ID(s)
CVE-2023-43702,CVE-2023-43703,CVE-2023-43704,CVE-2023-43705,CVE-2023-43706,CVE-2023-43707,CVE-2023-43708,CVE-2023-43709,CVE-2023-43710,CVE-2023-43711,CVE-2023-43712,CVE-2023-43713,CVE-2023-43714,CVE-2023-43715,CVE-2023-43716,CVE-2023-43717,CVE-2023-43718,CVE-2023-43719,CVE-2023-43720,CVE-2023-43720,CVE-2023-43721,CVE-2023-43722,CVE-2023-43723,CVE-2023-43724,CVE-2023-43725,CVE-2023-43726,CVE-2023-43727,CVE-2023-43728,CVE-2023-43729,CVE-2023-43730,CVE-2023-43731,CVE-2023-43732,CVE-2023-43733,CVE-2023-43734,CVE-2023-43735,CVE-2023-43736,CVE-2023-5111,CVE-2023-5112
Description
Os Commerce is an e-commerce platform that enables businesses to create online stores and manage product listings, orders, and more. It offers various features to streamline online selling.
Vulnerability
Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) vulnerability. This vulnerability allows attackers to inject malicious scripts into specific parameters of the application, potentially leading to unauthorized script execution within a user's web browser.
Exploiting XSS (Cross Site Scripting) vulnerabilities can have severe consequences for web applications and their users. This type of vulnerability occurs when input data from users is not properly validated and sanitized, allowing malicious actors to inject scripts that can be executed by other users visiting the same web page.
Exploitation
In this scenario, we have identified several URLs and their corresponding vulnerable parameters, each of which can be manipulated to execute a common malicious payload:
In the following endpoints, the payload is executable, and we provide the affected URLs and parameters.
Here's a brief explanation of each of the vulnerable URLs and parameters:
CVE-2023-43702: /admin/orders/tracking-save - Vulnerable Parameter: tracking_number
CVE-2023-43703: /admin/editor/show-basket?orders_id=4& currentCart=cart%7C1-35025&uprid=29&action=edit_product - Vulnerable Parameter: product_info[][name] -
CVE-2023-43704: /admin/design/theme-title - Vulnerable Parameter: title
CVE-2023-43705: /admin/texts/submit?translation_key=%23%23BILLING_ADDRESS %23%23&translation_entity=keys&row=0 - Vulnerable Parameter: translation_value[1]
CVE-2023-43706: /admin/email/templates-save - Vulnerable Parameter: email_templates_key
CVE-2023-43707: /admin/catalog-pages/edit?id=0&platform_id=1&parent_id=0 - Vulnerable Parameter: CatalogsPageDescriptionForm[1][name]
CVE-2023-43708: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
CVE-2023-43709: /admin/modules/save?set=payment - Vulnerable Parameter: configuration_title1
CVE-2023-43710: /admin/modules/save?set=shipping - Vulnerable Parameter: configuration_title[1][MODULE_SHIPPING_PERCENT_TEXT_TITLE]
CVE-2023-43711: /admin/adminmembers/adminsubmit - Vulnerable Parameter: admin_firstname
CVE-2023-43712: /admin/adminfiles/submit - Vulnerable Parameter: access_levels_name
CVE-2023-43713: /admin/admin-menu/add-submit - Vulnerable Parameter: title
CVE-2023-43714: /admin/configuration/saveparam - Vulnerable Parameter: SKIP_CART_PAGE_TITLE[1]
CVE-2023-43715: /admin/configuration/saveparam - Vulnerable Parameter: ENTRY_FIRST_NAME_MIN_LENGTH_TITLE[1]
CVE-2023-43716: /admin/configuration/saveparam - Vulnerable Parameter: MAX_DISPLAY_NEW_PRODUCTS_TITLE[1]
CVE-2023-43717: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_HIGHLIGHT_ENABLE_TITLE[1]
CVE-2023-43718: /admin/configuration/saveparam - Vulnerable Parameter: MSEARCH_ENABLE_TITLE[1]
CVE-2023-43719: /admin/configuration/saveparam - Vulnerable Parameter: SHIPPING_GENDER_TITLE[1]
CVE-2023-43720: /admin/configuration/saveparam - Vulnerable Parameter: BILLING_GENDER_TITLE[1]
CVE-2023-43721: /admin/configuration/saveparam - Vulnerable Parameter: PACKING_SLIPS_SUMMARY_TITLE[1]
CVE-2023-43722: /admin/orders_status_groups/save? orders_status_groups_id=5 - Vulnerable Parameter: orders_status_groups_name[1]
CVE-2023-43723: /admin/orders_status/save?type_id=2 - Vulnerable Parameter: orders_status_name[1]
CVE-2023-43724: /admin/orders-comment-template/edit - Vulnerable Parameter: derb6zmklgtjuhh2cn5chn2qjbm2st gmfa4.oastify.comscription[1][name]
CVE-2023-43725: /admin/orders_products_status/save? orders_products_status_id=50 - Vulnerable Parameter: orders_products_status_name_long[1]
CVE-2023-43726: /admin/orders_products_status_manual/save? orders_products_status_manual_id=0 - Vulnerable Parameter: orders_products_status_manual_name_long[1]
CVE-2023-43727: /admin/stock-indication/save? stock_indication_id=11 - Vulnerable Parameter: stock_indication_text%5B1%5D
CVE-2023-43728: /admin/stock-delivery-terms/save? stock_delivery_terms_id=1 - Vulnerable Parameter: stock_delivery_terms_text%5B1%5
CVE-2023-43729: /admin/xsell-types/save?xsell_type_id=0 - Vulnerable Parameter: xsell_type_name%5B1%5D
CVE-2023-43730: /admin/countries/save?countries_id=0 - Vulnerable Parameter: countries_name[1]
CVE-2023-43731: /admin/zones/save?zones_id=0 - Vulnerable Parameter: zone_name
CVE-2023-43732: /admin/tax_classes/save?tax_classes_id=0 - Vulnerable Parameter: tax_class_title
CVE-2023-43733: /admin/tax_rates/save?tax_rates_id=13 - Vulnerable Parameter: company_address
CVE-2023-43734: /admin/languages/save?languages_id=2&action=save - Vulnerable Parameter: name
CVE-2023-43735: /admin/address-formats/index - Vulnerable Parameter: formats_titles[7]
CVE-2023-5111: /admin/featured-types/save?featured_type_id=0 - Vulnerable Parameter: featured_type_name[1]
CVE-2023-5112: /admin/specials-types/save?specials_type_id=0 - Vulnerable Parameter: specials_type_name[1]
To exploit these vulnerabilities, an attacker would simply need to modify the respective parameter with the provided payload:
This payload triggers the execution of malicious scripts when the affected URLs are accessed.
Evidence of exploitation
The same behavior repeats across the previously mentioned URLs and parameters. You only need to inject the payload into the affected parameters or fields, and it will be executed.
Our security policy
We have reserved those IDs: CVE-2023-43702, CVE-2023-43703, CVE-2023-43704, CVE-2023-43705, CVE-2023-43706, CVE-2023-43707, CVE-2023-43708, CVE-2023-43709, CVE-2023-43710, CVE-2023-43711, CVE-2023-43712, CVE-2023-43713, CVE-2023-43714, CVE-2023-43715, CVE-2023-43716, CVE-2023-43717, CVE-2023-43718, CVE-2023-43719, CVE-2023-43720, CVE-2023-43721, CVE-2023-43722, CVE-2023-43723, CVE-2023-43724, CVE-2023-43725, CVE-2023-43726, CVE-2023-43727, CVE-2023-43728, CVE-2023-43729, CVE-2023-43730, CVE-2023-43731, CVE-2023-43732, CVE-2023-43733, CVE-2023-43734, CVE-2023-43735, CVE-2023-5111, CVE-2023-5112
to refer to this issue from now on. Disclosure policy
System Information
Version: Os Commerce 4.12.56860
Operating System: Windows
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://www.oscommerce.com
Timeline
Vulnerability discovered
Sep 22, 2023
Vendor contacted
Sep 22, 2023
Public disclosure
Sep 29, 2023
