WS-2021-0487

Overview

The “vc-platform(VirtoCommerce)” application versions v2.1 to v3.79.0 is affected by a stored XSS vulnerability via HTML file upload in the Asset Upload feature. This allows low privileged application users to store malicious scripts in the uploaded file. These scripts are executed in a victim’s browser when they open the uploaded file.

Details

The “vc-platform(VirtoCommerce)” application is affected by a stored XSS vulnerability via HTML file upload in the Asset Upload feature that allows low privileged application users to store malicious scripts in the uploaded file. These scripts are executed in a victim’s browser when they open the malicious uploaded file.

PoC Details

Login to the application with a manager role user that has administrative privileges for the electronics store. This is considered low privileges (this is not an administrative role of the application). Click on the “More” option on the left pane and then click the “Content” option. Click on the “Pages” option in the Electronics store section, then click the “Upload” option and then click the icon in Asset Upload section to upload a file. Then select the malicious HTML file (that contains the payload in POC Code section) and upload it. Click on the three dots next to the uploaded image and copy the file link. Now open a new tab in the browser and navigate to the copied link, and the XSS will be triggered.

PoC Code

<script>alert(1)</script>

Affected Environments

v2.1 to 3.79.0

Prevention

no fix