Mhe4Am

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 4.10.2 Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a Stored Cross-Site Scripting (XSS) issue in the Order details section. An attacker can inject malicious JavaScript code through the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout by double-clicking on the order index page, the injected code will execute. **Recommendations** Update to Craft Commerce version 4.10.2 or later. Update to Craft Commerce version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 4.10.2 Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, has a SQL Injection issue in the purchasables table endpoint. The `sort` parameter is split and the column name part is passed to the `orderBy()` function without proper validation. Yii2’s query builder does not escape array keys, which allows an authenticated attacker to inject SQL into the `ORDER BY` clause. The vulnerable endpoint is '/purchasables'. The vulnerable parameter is `sort`. **Recommendations** Update to Craft Commerce version 4.10.2 or later. Update to Craft Commerce version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 4.10.2 Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting issue. The issue occurs when a user attempts to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, which allows for script execution. **Recommendations** Update to Craft Commerce version 4.10.2 or later. Update to Craft Commerce version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, has a SQL Injection issue in the inventory levels table data endpoint. The `sort[0][direction]` and `sort[0][sortField]` parameters are directly added to an `addOrderBy()` clause without proper validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject SQL queries, potentially compromising the entire database. **Recommendations** Update to version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting issue in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields do not have proper HTML escaping, which allows an attacker to execute arbitrary JavaScript when a user views the inventory management page. This affects all users, including administrators. **Recommendations** Update to version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions prior to 5.5.3 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue is present in the Commerce Settings - Inventory Locations page where the `Name` field is not properly sanitized before being displayed, allowing an attacker to inject and execute arbitrary JavaScript code. This can be triggered when an administrator or a user with product editing permissions creates or edits a variant product. **Recommendations** Update to version 5.5.3 or later.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions prior to 4.17.0-beta.1 and 5.9.0-beta.1 **Description** Craft is a content management system (CMS). An authenticated administrator can achieve Remote Code Execution (RCE) by injecting a Server-Side Template Injection (SSTI) payload into Twig template fields, such as Email Templates. By calling the `craft.app.fs.write()` method, an attacker can write a malicious PHP script to a web-accessible directory and subsequently access it via a browser to execute arbitrary system commands. The vulnerability also allows for the disclosure of sensitive information, including database credentials and the security key, through access to `craft.app` properties. **Recommendations** Update Craft CMS to version 4.17.0-beta.1 or later. Update Craft CMS to version 5.9.0-beta.1 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.17.0-beta.1 Craft versions prior to 5.9.0-beta.1 **Description** The entry creation process allows for Mass Assignment of the `authorId` attribute. A user with "Create Entries" permission can inject the `authorIds[]` or `authorId` parameter into the POST request. The backend processes this parameter without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, effectively "spoofing" the authorship. This could allow an attacker to post malicious or inappropriate content attributed to an administrator or other trusted users, potentially bypassing review processes or gaining trust based on false authorship. **Recommendations** Versions prior to 4.17.0-beta.1 should be updated to 4.17.0-beta.1 or later. Versions prior to 5.9.0-beta.1 should be updated to 5.9.0-beta.1 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 5.9.0-beta.1 Craft versions prior to 4.17.0-beta.1 **Description** Craft is a content management system (CMS). A flaw exists where the "Duplicate" entry action does not properly verify user permissions for specific target elements. Even with limited "View Entries" permission, a user can bypass UI restrictions by sending a direct request. This allows duplication of other users' entries by specifying their Entry IDs. Because Entry IDs are incremental, an attacker can potentially brute-force these IDs to duplicate and access restricted content. The vulnerability is exploitable via a direct request to the ''/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action'' API endpoint, utilizing the `elementIds` parameter. The request requires a valid `CSRF` token and cookie. **Recommendations** Versions prior to 5.9.0-beta.1 should be updated to 5.9.0-beta.1 or later. Versions prior to 4.17.0-beta.1 should be updated to 4.17.0-beta.1 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 5.9.0 Craft versions prior to 4.17.0 **Description** Craft is a content management system (CMS). The system uses a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. Several PHP functions were not included in this blocklist, potentially allowing malicious actors with the required permissions to execute payloads, including remote code execution (RCE), arbitrary file reads, server-side request forgery (SSRF), and server-side template injection (SSTI). To successfully exploit this, an attacker needs to have `allowAdminChanges` enabled on production, a compromised admin account, or an account with access to the System Messages utility. Twig has deprecated the behavior that allowed this, and it will eventually be removed from Twig altogether. **Recommendations** Versions prior to 5.9.0 should be updated to version 5.9.0. Versions prior to 4.17.0 should be updated to version 4.17.0 and the `enableTwigSandbox` config setting should be enabled.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22 **Description** Craft is a content management system (CMS) that contains a stored Cross-site Scripting (XSS) issue within the `editableTable.twig` component when utilizing the `html` column type. The application does not properly sanitize input, which allows an attacker to execute arbitrary JavaScript when another user views a page containing the malicious table field. To exploit this, an attacker requires an administrator account and `allowAdminChanges` must be enabled in production. The vulnerable component is the `editableTable.twig` component, specifically when using the `html` column type. The vulnerable parameter is `types[craft-fields-Table][columns][col3][type]`. **Recommendations** Craft versions 4.5.0-RC1 through 4.16.18: Upgrade to version 4.16.19 or later. Craft versions 5.0.0-RC1 through 5.8.22: Upgrade to version 5.8.23 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 **Description** Craft is a platform for creating digital experiences. A stored Cross-Site Scripting (XSS) issue exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping, which allows for script execution when the Number field is displayed on users' profiles. The vulnerable fields are susceptible because of the lack of proper input sanitization. **Recommendations** Update to Craft version 4.16.18 or later. Update to Craft version 5.8.22 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 5.0.0-RC1 through 5.8.21 **Description** Craft is susceptible to a stored cross-site scripting (XSS) issue due to insufficient sanitization of Entry Type names. Specifically, the application does not properly sanitize the name when displaying it in the Entry Types list. An attacker with admin access and `allowAdminChanges` enabled can inject malicious code, such as a JavaScript payload, into the Entry Type name field. This injected code will then be executed when other administrators view the Entry Types list at the `/admin/settings/entry-types` endpoint. The vulnerability is triggered by providing a crafted input like `<img src=x onerror="alert('XSS-EntryTypes')" hidden>` as the Entry Type name. **Recommendations** Craft versions 5.0.0-RC1 through 5.8.21 should be updated to version 5.8.22 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 **Description** The `saveAsset` GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. This allows an attacker to bypass Server-Side Request Forgery (SSRF) protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. The application validates the initial URL, but Guzzle's redirect behavior circumvents this validation. The mutation uses the `/saveAsset` GraphQL endpoint with the `url` parameter. The `url` parameter is used to specify the location of the asset to be saved. **Recommendations** Craft versions prior to 4.16.18 are affected. Craft versions prior to 5.8.22 are affected. Disable redirects.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 **Description** The `saveAsset` GraphQL mutation in Craft does not properly validate IP addresses used to access cloud metadata services. The application uses `filter var(..., FILTER VALIDATE IP)` to block a list of IP addresses, but this function does not recognize alternative IP notations like hexadecimal or mixed formats. This allows attackers to bypass the blocklist and potentially access cloud metadata. The vulnerable component is the `saveAsset` mutation. The vulnerable parameter is the IP address used in the request. **Recommendations** Update to Craft version 4.16.18 or later. Update to Craft version 5.8.22 or later.

**Name of the Vulnerable Software and Affected Versions** Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 **Description** Craft is a platform for creating digital experiences. The `element-indexes/get-elements` API endpoint is susceptible to SQL Injection via the `criteria[orderBy]` parameter within the JSON body. The application does not properly sanitize input received through this parameter before utilizing it in database queries. An authenticated attacker with Control Panel access can inject arbitrary SQL into the ORDER BY clause by omitting `viewState[order]` or setting both to the same payload. **Recommendations** Update to Craft version 4.16.18 or later. Update to Craft version 5.8.22 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue resides in the Tax Rates 'Name' field within the Store Management section, which does not properly sanitize input before displaying it in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator's browser. An attacker could potentially escalate privileges to administrator by exploiting this issue, especially if an elevated session exists. The attacker can also create a fake 'Session Expired' login modal overlay to steal administrator credentials. The vulnerable field is located at `/admin/commerce/store-management/primary/taxrates`. The `Name` field is the vulnerable parameter. **Recommendations** Craft Commerce versions 4.0.0-RC1 through 4.10.0: Upgrade to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1: Upgrade to version 5.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue stems from insufficient sanitization of the `Name` and `Description` fields within `Tax Zones` before display in the admin panel. This allows attackers to inject and execute malicious JavaScript code in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an elevated session is present. The attacker can leverage the XSS to create a fake 'Session Expired' login modal overlay, tricking administrators into submitting their credentials. The affected API endpoint is `/admin/commerce/store-management/primary/taxzones`. The vulnerable parameters are the `Name` and `Description` fields. **Recommendations** Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be upgraded to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be upgraded to version 5.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 **Description** Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting (XSS) issue. The issue stems from insufficient sanitization of the 'Address Line 1' field within Inventory Locations before display in the admin panel. This allows attackers to inject malicious JavaScript code that executes in an administrator’s browser. An attacker could potentially escalate privileges to administrator level by exploiting this issue, especially if an elevated session exists. The proof of concept demonstrates that an attacker can inject a payload into the 'Address Line 1' field, which then executes JavaScript when the page is loaded. A malicious payload can be used to steal administrator credentials through a fake login modal or directly elevate the attacker’s account to admin status. **Recommendations** Craft Commerce versions 4.0.0-RC1 through 4.10.0 should be upgraded to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1 should be upgraded to version 5.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 **Description** A stored DOM Cross-Site Scripting (XSS) issue exists within the "Recent Orders" dashboard widget. The Order Status Name is rendered using JavaScript string concatenation without appropriate escaping, which allows for script execution when an administrator accesses the dashboard. The issue occurs because the `value.name` variable, representing the Order Status Name, is directly concatenated into an HTML string without sanitization. This allows malicious tags or scripts within the name to be executed when the HTML is inserted into the DOM. The vulnerable file is `vendor/craftcms/commerce/src/templates/ components/widgets/orders/recent/body.twig`. **Recommendations** Craft Commerce versions 4.0.0-RC1 through 4.10.0: Update to version 4.10.1 or later. Craft Commerce versions 5.0.0 through 5.5.1: Update to version 5.5.2 or later.