GHSA-h9r9-2pxg-cx9m: Craft Commerce has Stored XSS in Shipping Zone (Name & Description) Fields Leading to Potential Privilege Escalation
A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel.
References
- github.com/advisories/GHSA-h9r9-2pxg-cx9m
- github.com/craftcms/commerce
- github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee
- github.com/craftcms/commerce/releases/tag/4.10.1
- github.com/craftcms/commerce/releases/tag/5.5.2
- github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m
Code Behaviors & Features
Detect and mitigate GHSA-h9r9-2pxg-cx9m with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →