CVE-2026-29176
EPSS 0.01%Craft Commerce has stored XSS in Inventory Location Name
描述
## Summary A stored XSS vulnerability exists in the Commerce Settings - Inventory Locations page. The **Name** field is rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript. This XSS triggers when an administrator (or user with product editing permissions) creates or edits a variant product. ## Proof of Concept ### Permissions Required - General - Access the control panel - Access Craft Commerce - Craft Commerce - Manage inventory locations ### Steps to Reproduce 1. Log in to the control panel 2. Navigate to **Commerce → Inventory Locations** 3. Create or edit a location 4. Set **Name** to the following payload: ```html <img src=x onerror="alert('XSS')"> ``` 5. Save the location 6. Navigate to **Commerce → Products** and click "New Product" and click "New product variant" 7. The Inventory Location table loads, rendering the **Inventory Location Name** 8. XSS executes ## Impact - Potential Session Hijacking - Potential Database Exfiltration - Potential Account Takeover by forcing a password change on the victim’s account. - Potential Privilege escalation, or creating new admin users. ## Mitigation Sanitize the inventory location name field when rendering in the "Track Inventory" table.
受影響套件(1)
- Packagist/craftcms/commerce>= 5.0.0, < 5.5.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |