Elastic Path Embedded Cross Site Scripting
Elastic Path is a Java e-commerce software platform for building online stores and shopping carts. This software is used by businesses to manage their e-commerce. Features such as a search engine, merchandising, payment, tax, customer management, order management, etc. are included in the Elastic Path manager.
Elastic Path 5.0 has been identified to be vulnerable to an embedded Cross Site Scripting attack that could allow an attacker to gain unauthorised access to the Elastic Path Commerce Manager and obtain administrative privileges.
The embedded XSS vulnerability was identified in the ‘First Name’ and ‘Last Name’ fields when viewing user’s details. An attacker could inject JavaScript into these fields in any e-commerce application that uses Elastic Path to manage their application and this would be executed by the Elastic Path manager when an administrator views this particular user’s details.
This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.
Elastic Path have addressed this vulnerability and implemented a fix in version 5.1.1
The full security advisory can be found here: [1]
Popularity: 3% [?]