Security Advisory: 2x XSS in SimpleCart

Following a bug report from Roel Zeilstra at Sterc, we have identified two related persistent cross site scripting vulnerabilities in SimpleCart. The issue is fixed in v2.3.0-rc5.

This vulnerability requires administrator access and a SimpleCart Options TV input type to be defined or created.

The two identified XSS vulnerabilities are:

  1. In the manager, it is possible to execute JavaScript in the context of a logged in administrator editing a product with product options. This could theoretically be used to perform any admin-related action the attacker may not have had access to, using the exploited users permissions.

  2. The same vulnerable field also affects the default front-end output of the SimpleCart Option Output Type, allowing JavaScript to run when visiting the product page.

We consider these low severity vulnerabilities as they require manager access to exploit. As they could theoretically be used by a lower level admin to gain additional permissions or execute other actions in the session of a higher level admin, we strongly recommend upgrading to 2.3.0-rc5.

Timeline for these vulnerabilities:

First bug report: July 20th
Bug researched further and XSS vectors identified: August 8th
Vulnerabilities fixed: August 8th
Patch release available: August 31st, v2.3.0-rc5
Security Advisory published: September 14th

The upgrade to SimpleCart 2.3.0-rc5 is free for all existing SimpleCart users. For users that have not yet migrated their licenses to modmore, please visit [Migrate SimpleCart licenses to modmore][1] for instructions.
[1]: https://www.modmore.com/simplecart/migrate-licenses/