CNNVD-202602-285 Information
CNNVD ID
CNNVD-202602-285
Related CVE
- CNNVD Published: 2026-02-03
Description (Chinese)
Craft Commerce是Craft CMS开源的一个电子商务平台。 Craft Commerce 4.0.0-RC1版本至4.10.0版本和5.0.0版本至5.5.1版本存在跨站脚本漏洞,该漏洞源于订单状态历史消息使用允许原始HTML的|md过滤器渲染,可能导致存储型跨站脚本攻击,攻击者可窃取数据库凭据、用户个人信息、订单历史记录和双因素认证恢复码。
Description (English)
Craft Commerce is an open-source e-commerce platform for Craft CMS. Cross-site script loopholes exist in Craft Company Versions 4.0.0-RC1 to 4.10.0 and 5.0.0 to 5.5.1, which stem from the order state history message ’ s use of |md filters allowing the original HTML to be rendered, which may lead to a storage-type cross-station script attack, where the aggressor may steal a database certificate, user ’ s personal information, order history records and a double-factor authentication recovery code.
Hazard Level
High
Vulnerability Type
跨站脚本
Affected Vendor
Craft CMS
Published
2026-02-03
Last Modified
2026-02-24
References
https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c https://github.com/craftcms/commerce/releases/tag/5.5.2 https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 https://access.redhat.com/security/cve/cve-2026-25483
Patch
https://github.com/craftcms/commerce/releases
Share on: