CVE-2026-29177
EPSS 0.01%Craft Commerce has stored XSS in Craft Commerce Order Details Slideout
描述
## Summary A Stored Cross-Site Scripting (XSS) vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the **Shipping Method Name**, **Order Reference**, or **Site Name**. When a user opens the order details slideout via a double-click on the order index page, the injected payload executes. ## Reproduction Steps 1. Navigate to **Commerce** -> **Store Management** -> **Shipping Methods**. 1. Click "New Shipping Method". 1. In the **Name** field, enter the following XSS payload: ```html <img src=x onerror=alert('XSS_Shipping')> ``` 1. Save the Shipping Method. 1. Place a new order or edit an existing order. 1. Set the order's **Shipping Method** to the one created in the previous steps. 1. Navigate to the **Orders** index page (`/admin/commerce/orders`). 1. Double-click the target order to open the details slideout. 1. **Result**: The XSS payload executes.
受影響套件(1)
- Packagist/craftcms/commerce>= 4.0.0, < 4.10.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |