This webpage screenshot provides a detailed description of a stored XSS vulnerability discovered in Craft Commerce, which could lead to privilege escalation. Below are the key vulnerability details extracted from the screenshot: - **Vulnerability Type**: Stored Cross-Site Scripting (XSS) - **Affected Package**: `craftcms/commerce` (Composer) - **Affected Versions**: - >= 5.0.0-RC1, = 4.0.0-RC1, `) into the Address Line 1 field to trigger the vulnerability, resulting in an alert box confirming JavaScript execution. - **Privilege Escalation to Admin**: - Using a malicious payload, if an escalation session exists, an attacker can modify `` to their own user ID in a payload such as: `/permissions',{method:'POST',body:'CRAFT_CSRF_TOKEN=${Craft.csrfTokenValue}&permissions%5\bGeneral.readAccess=1&permissions%5\bCommerce.readAccess=1&permissions%5\bCommerce.writeAccess=1',headers: {'X-Requested-With':'XMLHttpRequest'} });">` This can elevate the attacker’s account to admin privileges. - Log in with an admin account in another browser and access the vulnerable page (Inventory Location page). - Return to the attacker’s account and observe that they have been escalated to admin. - **Exploitation Scenario Application**: In real-world scenarios, an attacker could automatically log out the victim, causing their session to expire. When the victim re-authenticates, the stored XSS payload executes in the new session, completing the attack. Alternatively, a more sophisticated approach involves creating a fake “Session Expired” login modal overlay. Since it appears on a trusted domain, the administrator may unknowingly enter their credentials, handing them over to the attacker. - **Vulnerability Reporter**: mHe4am