Name of the Vulnerable Software and Affected Versions Vendure (affected versions not specified)

Description The issue concerns an authorization system with different levels of privileges. In the admin UI, certain description inputs, such as those for inventory, collection catalog, shipping methods, and promotions, are vulnerable. The WYSIWYG editor allows limited customization, but altering request data outside the UI can save and return arbitrary HTML without sanitization, leading to a Cross-Site Scripting (XSS) attack when viewing the page. This XSS can result in privilege escalation, where a user who can write descriptions can trigger the attack, and any other user visiting the vulnerable page is prone to arbitrary JavaScript code execution, allowing the attacker to execute actions on behalf of the user.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.