PT-2026-24630 · Packagist · Craftcms/Commerce
Publicado
2026-03-10
·
Atualizado
2026-03-10
CVSS v4.0
1.9
Baixa
| Vetor | AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur.
Proof of Concept
Required Permissions
- Admin access (to edit/create Order Statuses)
Steps to Reproduce
- Log in with an admin account
- Navigate to Commerce → Settings → Order Statuses
- Create a new order status
- Set the Name field to:
html
<img src=x onerror="alert('Order Statuses XSS')">- Save the order status
- Go to Commerce → Orders (make sure you placed any orders)
- From the left panel, select any Order Status (e.g., New)
- Select any order from the orders table → Click on the Gear Icon → then click "Update Order Status..."
- Notice the XSS execution
Correção
XSS
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Craftcms/Commerce